23542300x8000000000000000198869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:01.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD2BCE36E39BC17F3669976070B0D78,SHA256=6D088E6B4864120B447AF6BB46816BBC233363AE762E39AA20D264EC5D5AB31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:01.679{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F4781CE21F21A0ABEE9A8930CCC1AB3E,SHA256=6CFBD43568EDCE4307942F2BF697ED4DB74AED83F3FCB542D20CF7F2BB360800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:36:58.486{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57099-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:01.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8567E758877F100556535283B293D0D4,SHA256=0E69A54C42F3D58862BE07B14E580108821565F842C900B6119D060084E76D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:02.979{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508E89195AC37F7440C4449C1DD7B335,SHA256=BBFD7A90345925DEFAA879E84B785A61BC3A4DF09F18B296A1FDC5280BCA78CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:02.127{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDF4FA0A1F5923370F27CD9C98E8E33,SHA256=9A82BB56C66E99350B4CD16D6B1269C2D6DFE5E59C4084128C701E95B2DC5904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.997{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.986{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.972{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57E5AFA0C37B6F0EF81A00DF6CCD2D86,SHA256=FA524206D183B8590524CC4374884B019415D83B220BDE05C9E2251A824CD5AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.971{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.945{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.932{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.924{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.914{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.905{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.844{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.842{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.254{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8020A1434BD8179CDDBD2A503BF0719,SHA256=3E4D350B31D776D4265E2C34495BC25968183003E6021D555C3DD39421846F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.930{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49EC12A76C11C3993701D1CBC75757CE,SHA256=4F2D5AF7296F62071CD57818DC98D54F565FBAAE20B4361ADDAC42AA09A90BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.466{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.463{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.294{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8369EA5EDF8BD21669C4CF2A4BD7C9D,SHA256=118D5EAA78E407524C769CD74D6D42C653F3ADE34EE0D52E55D00C7677D661A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.827{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E37392DF69EC266C4A8271003AFE92E3,SHA256=D4EC148C91DA211239FD57E3ECBAAC629E03F59F125042309375AD757DE3AB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.067{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB97D740E34442D8E917EF9A8E05C7A,SHA256=52FCB0B1668DF90E4F37EDA181699C9D621648875DD90B74F7723E06947D6D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.084{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.080{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.072{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.065{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.061{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.046{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.037{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.034{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.032{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.024{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.019{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.005{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:05.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A73857E3395C9FA4F24E3705E0172E,SHA256=EF02883C93E2F665EB7D175A8E16A5F6D3C822B8732FA42EDC03B7CADF7AE71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:05.172{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB29CB2FCDCE7A4BFC15D3B44E0E5F4,SHA256=AEF07F4C2B7C6A0DB8F95127D7C5FC9FE87D8299F37A47336D6A9E7D1A0FEBDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.906{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59647- 354300x8000000000000000289088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.904{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local63201- 354300x8000000000000000289087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.899{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62635- 354300x8000000000000000289086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.897{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62461- 354300x8000000000000000289085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.896{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local54475- 354300x8000000000000000289084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.892{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58434- 354300x8000000000000000289083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.891{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61487- 354300x8000000000000000289082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.888{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local63279- 354300x8000000000000000289081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.887{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65292- 354300x8000000000000000289080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.885{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59966- 354300x8000000000000000289079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.885{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51284- 354300x8000000000000000289078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.883{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51804- 354300x8000000000000000289077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.883{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60833- 354300x8000000000000000289076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.877{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52732- 354300x8000000000000000289075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.871{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61311- 354300x8000000000000000289074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.869{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local64735- 354300x8000000000000000289073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.868{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59276- 354300x8000000000000000289072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.867{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62833- 354300x8000000000000000289071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.867{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51111- 354300x8000000000000000289070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.866{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59255- 354300x8000000000000000289069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.865{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52831- 354300x8000000000000000289068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.864{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59718- 354300x8000000000000000289067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.864{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64186- 354300x8000000000000000289066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.863{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61957- 354300x8000000000000000289065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.859{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51599- 354300x8000000000000000289064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.858{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59741- 354300x8000000000000000289063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.851{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62786- 354300x8000000000000000289062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.849{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60271- 354300x8000000000000000289061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.847{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59339- 354300x8000000000000000289060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.847{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60474- 354300x8000000000000000289059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.844{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local64341- 354300x8000000000000000289058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.842{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59206- 354300x8000000000000000289057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.842{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59206-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000289056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.841{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50443- 354300x8000000000000000289055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.841{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50443-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000289054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.833{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57102-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000289053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.833{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57102-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local49666- 10341000x8000000000000000289052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.503{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.502{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.500{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000289049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:06.400{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD8A63ECB23BB106E9314DC4CB71C9,SHA256=BC458F501F5E7721B0491CE6D96BBC2312CEE42C0485ADF5A863C0B888868028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:06.253{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4976B3C1D53DC79A9832805FE460F6,SHA256=C09B8625F367D44919C2A731CDA5D69C36282723FB773D01D5D583FDC0C1408D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.364{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57101-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000289047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.993{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57100-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000289046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:03.993{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57100-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000198876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:07.352{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7C2E2AE7539A5876BBD1C1CBE51E21,SHA256=DCB735CD7D3766DDA560030FDC783C14FE4D83109841C3CF4FDDF28F0577CA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A207B67262B9B6A1ECD83111D39ED2,SHA256=85DAABEB98D5FA5BD2CF0552F40C612E90998603F9F8A096AC546935F21400E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164F6406B5B466414724F04C3DAC005E,SHA256=22574AED601A4CEFD89B79CE3357B36383641B32503DC7284ABFAA251B6B78DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.262{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.262{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.260{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.245{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.239{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.235{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.229{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.222{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.216{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.211{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.210{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.206{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.200{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.197{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.183{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.143{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.129{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.128{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.125{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.098{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.064{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.036{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.035{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.030{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.023{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.022{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.019{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000289090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:07.018{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000198875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:04.344{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:08.443{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3D2746B0280A30CB52B60FBD10386,SHA256=84D68B1BC8D7A64A6B16F40E1829FB62065608BCE29B4FF63421D5A97E3121C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:08.804{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AF001E9CFA4EF9D2C450D2118B758,SHA256=E7D9DD964266BD705001D72C0AF8A9809156E1476CADB5FE733FB7D1CA821454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.917{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51046- 354300x8000000000000000289125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.917{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59846- 354300x8000000000000000289124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.915{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local52191- 354300x8000000000000000289123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:04.914{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65378- 23542300x8000000000000000198878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:09.540{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69680D2680397E30C74F458E10A7208F,SHA256=F968888DAB5AC0C377CD07369BF7DD6AB48A60BE5003B5DB599B96D6F7C1FAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:09.852{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3336573FAA8BF312F03BA378E085E48,SHA256=C30DF261B335374B9719BCCF99609FD95B88483D946B2A28DB74952075F8D541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:10.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A872847B1069D9F8CE591FE568B216,SHA256=94BEF60710D0249A60CFA5B679A29079A04A4FE605BBCB9FD194914C2505AC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:10.891{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC5DB0AC27CDD2EA2DC34C6A1238AD8,SHA256=6AC47BB3593F0D203DAF5462AD9B552ACABA14FFA3365ED1DCC1CFFB4A9CB8D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.866{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.810{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.804{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000198881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000198880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:11.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBF56A7B59325DEAE789C55A41822CA,SHA256=DFEC279C352210E94DF289270824A702D43498C75409E62C0FF02D2F555B0D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:11.924{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D82DDA1A1E8AF509B364A33D2E63956,SHA256=DE6AA83BDA2AA79ED35F1402BA3BFE8AA0147BC577014E2D0D9369DC9E9BAFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:11.126{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-073MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:12.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779E3DA29CE97ADAEFB9E933CB6EF3C7,SHA256=B5973A24770AC08ABB3201A41C9B3E561C4E7248257377284A39D84AFDD8DA29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:09.495{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000289133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:09.453{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57103-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:12.125{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:13.210{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040D0AB48F848207246797013B284293,SHA256=21B408CFDE15BC1015142FBADD511A2F9FD332FCCEEDD4CBB6D3F5A078929F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.365{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.351{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:14.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9561AD11AC46A7854D57198F9F1537F6,SHA256=5DA3AFE9F89FB9F3514C141BE72900A336A911F06BEA27D86E1DEA41195243D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:14.012{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59B5B8FF277FA3CD261912D24600D5A,SHA256=752241AAA159A5632F8576C1459FDE76129739ECD113063B94668972012D9E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:15.433{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E45008B825F42C90760CFDDC2BFCB0,SHA256=1BF2FB6E23E768D66F47F6B448578E980681CCCBBE91FC674754611DE3291BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:15.149{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68EC8BED80726A6694B54DB4EF53C98,SHA256=79E3B290B683C9628858416D47A2DEA11FF10186C4CDC5044D1527C1D95EDF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:16.535{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87386B81582D04042F22A86856BA9EE3,SHA256=D71A637F17719F4BA185A56B1BA7655E938EFC91915891AC038FAE49C2F904AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:16.184{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5F7C6BC266CA10DB1C19E4FB0614B1,SHA256=2610529BC154364A435B48E3632FF54A89F510AE78CDD45B1E502E3A2482FE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:17.616{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078C3CBACCC52E1A0875D6D2FE47870A,SHA256=01EDD95F162673C3BCE2F05C3369AC6C03A6E4AB76A2065555CC7C02AE8D743D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:15.433{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57104-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:17.234{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0026B95529630C2CFE04156506834228,SHA256=FC9AF62942EE43C2B65A9F6AB34A95F4DB6BA6F8FEF3014047B77B60F404D798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:18.706{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8416D922609ABE6FB1FA5183610D38B6,SHA256=0241A2F1008F6D9AD296DD2CE5B10C537B35105DCF3012B96ABEDEC445A9A714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:18.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF995FB9CF00AB2AF25121CFE4724E83,SHA256=39A650378B8C8F6CFD4DD0F9F4D40174A6D731F911033900276F45EB519A32D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:15.377{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:19.799{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CA85FB42D2B1E2D9D773FB1726F355,SHA256=C3EA0530CB0E47CCD863BBE0839F27C1FDDEEBD172EB26C633CC60D54F07D98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:19.337{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77CDB817F2FF4A462D3B8708FF07BC0,SHA256=8A999F0A60E2346F4B746E57D580A33276ACFA71091441906CA2D4A4CD995446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:19.674{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06B99E075C770F3295E0C2B80EBD29E6,SHA256=F99B2D46ACC5E5123B203B4B244258DEB2090BC5B704E505A42583ABABC19534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:20.896{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51A00F9ABA4C6D2BDFF3AEDA1374359,SHA256=9F93615022A35F7FBD610D68264C8FA00DF6393D289AA16AB0A339B49480CAC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.545{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.545{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.462{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E866A2F323C11D146CD6AC74464B7BC,SHA256=269DA393F3EC5FBFF46663047DEBCA97F9CDCE1272C031DF646735BDFEEFEFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:21.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA16EC95572D6F2E84389E7E037FF0A7,SHA256=9A1FF675299383D869B7FA54996FE6C4D163D46CB5D0D5D8E8A8123DB9D217D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:21.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D06E3EE631B770656688051FAF2B504,SHA256=EB6280EC0DA700CD00646CDDC98F578A81B97DDF032652A17050EE75ACCDA5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:22.578{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EAC297FE1E0722923F9EAB1741534,SHA256=15EF0C21C796E7C25DAC855AFE483B0A01C24C420765391CD36D992DBF0DEA02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:22.563{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:20.578{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57105-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.988{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.977{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.968{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.940{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.928{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.920{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.910{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.899{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.853{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.843{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:23.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECF4F5A883719F033098EEE9C36A449,SHA256=4F6D17011E82A37D0F547D8A5AE012D518A94A20493FD9311C7CFC4F6A30BE15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:20.514{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:23.063{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E449599C9D8481CDD88F0860EF7E0DD8,SHA256=64F623622D4F88C43141FAFCA732E8A637F01012A626575A25EDBF9E32283648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.667{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED95222C38694BE9FD80B28F9312CC,SHA256=921316AABF978FDDC9669E5826D6B7F2ADB66B2E1D299E71705FD9B26BDBF860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:24.153{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86F0A8ECFE8BE59343D11EDF2E88A82,SHA256=E362FF22564FE44901324D0D231F5CC512633D5605D7334E2FC047A5BB6F1CFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.463{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.460{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.084{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.078{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.076{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.068{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.049{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.037{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.033{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.030{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.028{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.021{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.015{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:24.000{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:25.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7278910401250D272D9793293EB4C36,SHA256=144F2ED73000F1278CA245E7BDB7B68A63AB4D1564E6AD9CA46FB17EFE304A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:25.251{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FDE1E32C69F8E08295D94408DA484C,SHA256=1CAEB3938B88E48E34092A71F5F88C84F3F34CB73FDB59CB4892E838B6468BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.995{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.992{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.991{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.989{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.989{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.925{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08E970923342DDF4DA6A0F4EFCF3020,SHA256=F1EFD6E86CD4B3F4D06C3977C843E1114D52F59F48C59CFA659161C090741AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:26.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ECE01EADAC7AC21E6D544BCE80263F,SHA256=136ED70215B3CB4EDB4446784DAD3DD4AA25EB376F6A2C20F1143D769CD735C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.475{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.474{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.471{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.331{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.331{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.318{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:27.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E57934A81712D67F7BFDD6897F4F780,SHA256=3A820790C85CB3DF94B86D09CC90545205305798F88BDB57DEB06E722DCD90C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.688{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=191133D00F06479D992A761B930B7A84,SHA256=508F8616178D156C299C37182C0A22BB412D7F4EAB24F23055D6B7FFD8668B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.673{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=F15312A6AC9DD62E8DD470B6BF6FC453,SHA256=974DA5D4DEAC28B0F1FB56AACF3CEFA0EA944587ADC68FC7731DA52A67765647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.341{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.177{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.176{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.174{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.162{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.160{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.157{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.155{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.152{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.147{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.146{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.145{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.142{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.139{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.137{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.130{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.111{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.100{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.097{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.094{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.073{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.064{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.025{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.017{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.004{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:27.000{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000198933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:28.547{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D3B7EF78D00B86507C1A7553F354E5,SHA256=35719E87EBB2D234BAAC1B93275CB58FB36D8A2585AD21E42FDB2ACC6BDE3528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:28.058{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1759E62921B21BE2BC0D4A5BC1B4FA9,SHA256=45E72E3B70AA935C11D3A6981B70E365BA061ED19D3B1D05F6626DD7CCD5ADA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:26.329{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50586-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:29.689{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:29.657{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE339CAFBE9E0402C8331FFBE9BE9EE,SHA256=FF17AE9BAE33C3545CCA8EC223367ABEDDC2512C8D10A679E0B4FEE7477BE879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.859{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.815{30B46F62-5A49-6352-5903-000000008B02}73846184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.583{30B46F62-5A49-6352-5903-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:26.540{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57106-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.107{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19F16B67B6F188457360905FF5E71FF,SHA256=1DA8A24D780D8B97BBBBB4749D034188FA92C720491EC6E5EBCA4153A74ADBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:30.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FFF79D3C1F8AA8952168C30613607E,SHA256=7F26832B5476727D06FC31D5B606224FA048B2BFE4F65F1D693F1291A7D47832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.837{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.838{30B46F62-5A4A-6352-5B03-000000008B02}7616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B248ED313D4458B34154EA25C61BA3A4,SHA256=DA00A6F35FCD7023DA086C196EE724904F830E19618EA0BC39166D6E179920F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46E72D46EF702361BD8085DD429159A8,SHA256=D17A2D588177F3E5E026722FB4FD007A3A8E3EE8A08CBB1DF7D7687800D374BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.227{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.226{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.225{30B46F62-5A4A-6352-5A03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:30.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E00E0FFE15A1EF653EA28C017C70FA8,SHA256=4E185BDA4E611385C3D4D3EAE7C7AF39F948C76E13E57FA3444DBE0E3E8BCF4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000198945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.835{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AC7FF7EB710F0ADE9B6BC6EC006839,SHA256=EAE5DEA022EDDD2A764BD486ABF5FD0E7A2DE0F6830EE518984BEAAF3D1D85EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.798{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.788{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.748{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000198938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.746{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 354300x8000000000000000198937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:28.982{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50587-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.907{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2909570496BB5BEE8CEEE42243296216,SHA256=BA7B6A9E6C02B3CAE62A0552C80A8CE5A907DB747B63D2115361F15E81E9DDC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:29.176{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57107-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.238{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494B77C998E88983FFCEFF6B7B203235,SHA256=3E1A1D162CAD0D44B730554E46C78A0F22C6A14E435333A9318893FFEBC6B3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:32.886{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6A448B32635A01A89110393680298F,SHA256=31A653E049BA0612AB371AC48387EC3E69208393E3F552BD7F952B7C34D1E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.708{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=A466FCD17E78986F3170A11259340F52,SHA256=E83432514BE5B2B2A2176A6F603FA6FE2CB97D0469DCC14CEB72F32886FFB212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7A6D32585469DB5F0BE7A601110E26,SHA256=D9FBC02E27A165836A48B673070FDA851E608AB75EF098E8BCAA9488533513BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:33.924{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6E1A19FB159A67CA66FF9A63A6F299,SHA256=35619678CDF530A32F924B2D3073E6E2327F12F3C4DF0489A82812E6C676F59A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.509{30B46F62-5A4D-6352-5C03-000000008B02}32366356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.672{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57108-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:31.672{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57108-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAD514FC473125246A4CF4A14FD855F,SHA256=1D01C59A7E59BABF68B9AE985E46390C2E9D864DB4CB3BDB2CFF17769CA87760,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:31.421{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:33.277{30B46F62-5A4D-6352-5C03-000000008B02}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.683{30B46F62-5A4E-6352-5D03-000000008B02}75044092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:32.473{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57109-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.479{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.478{30B46F62-5A4E-6352-5D03-000000008B02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:34.394{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E545B4AEFA45F61B8A7F1103F66CCC4,SHA256=E5DC6CC7BD9F3942BDEAFA15803050BCB02990FBE4F2A9B096481E35D4993482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.827{30B46F62-5A4F-6352-5F03-000000008B02}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.442{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD7645BD25A8A92A7F871831317C56E,SHA256=5785C06FF6356DA08DD121AEC43B113269A65070B2DDB327535820008575334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:35.015{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97733728E0E23D739D1B93107FCA3DEF,SHA256=2E363F439A40ABC0A92EE828FFE0330BE003CD6F7358A917E9E03675AC5FC5BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.379{30B46F62-5A4F-6352-5E03-000000008B02}76766260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.162{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.161{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.161{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.160{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.160{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:35.159{30B46F62-5A4F-6352-5E03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:36.896{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E239388F0C9798506E715E3366E8B05E,SHA256=ACF40E23177E1AC0C9C4109A9103CFAC405A424890090356B7DECC66F719E253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:36.527{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679866598294C1D2CB1DE0313448BFB8,SHA256=B7963CCB0060ABB7A64688526BF83E8000681350043DCC788EE4FBFC127AEA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:36.105{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913663215DECFADE86BBB931154A7163,SHA256=509E2A75577F68869B4C6E7A5E778AC42D2E874A2627203893E2A03441101E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:37.581{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC83B05E7E5BE05A6C499F1CB0D6DA66,SHA256=6DCC9FB5F8674BD62B62058F721682FF044BAEAF2F1C67E47FB36CEE0EA65816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:37.200{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9532DFB63DA50AC2662DEF9C1DA847,SHA256=70EACDAC4F00A44A3612D954E0449E2465734B1E0A1DA19A00C4B7D3DCBD63DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:36.545{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50589-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:38.303{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7560206F9BB1F04B660B8C9FF192E847,SHA256=D7E7711F432C65D4950AF675D5D4F1CEBBD16E2F7C4815827FD4E3271D5F4C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:38.715{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74109FEBBCA3D018423FAB56828A8E58,SHA256=FBDFF90BE824827507E75915AF57F70C255E31CAC4AFBAF2F5D613F0B31EA895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:39.397{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AE34B0CE0081E7E2049854C6205B02,SHA256=EE7FE034BDE7BA96A45608D40D8B751B468EE3502EC1EBB1F417343F7C658246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:39.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686AF5D6427D7E16DB8C5D701F64A7B3,SHA256=377FD2A825095A97270490A1054EC650280EA5A6D2CCBC718D92153C664C5F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:40.475{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FDEAB95AA8D4B69C9C6BAD80A7EBB4,SHA256=901B0EDB3215DB057BE04BA8DB99BDF06561AC0DB81A7E37A119F80CA4B9BAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.886{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C8E7526159FBCADA5B46046A6B1B8F,SHA256=710F4AEC19E8D8DBACFC9E8402A970837F62336A3CFFEE65F21FE3D6754857B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:40.532{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000289302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:37.594{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57110-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:41.568{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF70DAECAAA1F68B7E0B671CD2E06351,SHA256=D9474AED42DD4AE4551A15B406159C85BC3E35685044B261DC00E163EAC68836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:41.951{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABBEFCB9DD76DD0CCB200EC29CF5BC0,SHA256=403D246CE625DED331795FAB413EED3D4555AD059F80D7C91729889E18107E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:42.658{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8823CFFDFD7F9802229CA81F83961C,SHA256=78DAF9A65EC42D07D7120BEC2F95211DB5708AF01A7C8858C13C6AADDDDB167D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:43.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8343CA733B478F1E7435C52DE90832,SHA256=45D06056B1502591B1BC999A8EB66ECCE60C8BADFA60C9CD3578A55C2BCE1F1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.998{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.992{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.958{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.948{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.941{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.918{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.908{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.898{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.890{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.881{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.840{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.837{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.051{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675D6150F52956FBEACEB2F5306FBC5E,SHA256=C156DC4ED4EA300EB4BA80944E9EC2AF2D339F1C52F51D9770C1D6311730F133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:42.490{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50590-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:44.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F514528229070995DB2CAB49E91F,SHA256=A45AA57CB53409A60CFE82EBAA896B52AA81236CA7CF181FD1E2D491954762E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.523{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.511{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.120{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD001AA62E08556A2749CB46BB7B8C,SHA256=59AC3FFF746CD60785859BE6129B87AC48049DB218E9FFDF8EC13264CAC60404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.035{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.030{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.028{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.022{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.020{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.012{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.003{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:44.001{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000198997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.946{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA8F647C95553CEB1F9FA9E7D8C9664,SHA256=CA15F69F964D59A08B4917A91A88ED3DC587B9FBD40F8A9796D7B03A223E17E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.634{EFF5EEA8-5A59-6352-AA02-000000008C02}12482356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.477{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:45.478{EFF5EEA8-5A59-6352-AA02-000000008C02}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:43.500{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57111-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:45.197{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B794A44E641DDA3F64FA94B54E532,SHA256=01B58B4DBFF179CB6648A26109252FE8A1AF2EA4672082070ED4FAC66BFBCA04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.563{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.562{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.560{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:46.313{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DDBA66D576C984CB99A70B6FBD6F7D,SHA256=B8BEF9A8EA1D9B3C753CE206CB6526A7B3B994FA7E8F77DC5A5CBFD22455881F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.832{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.833{EFF5EEA8-5A5A-6352-AC02-000000008C02}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=817285FE98AD9670B70A6EC612FB5B4B,SHA256=9C18EEC6BFE32063DAFBB7B1EAC0D63EF8F7EE84D1A2C9C5263DBC2BAD9809FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F4017CA78DDCC86223308849F0129EAC,SHA256=0DC10B3A9EBF6A2DF07FE56D15603745CB18EDF51A9BF3A9769C8162D101EBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.307{EFF5EEA8-5A5A-6352-AB02-000000008C02}40283368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.149{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:46.150{EFF5EEA8-5A5A-6352-AB02-000000008C02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.429{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC7D98EDCC356AD3C03C61165AD28DA,SHA256=9C9D17FE55C1818C2223787CA5CB9781E9E9E969111992B27BF04324D5102FC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.647{EFF5EEA8-5A5B-6352-AD02-000000008C02}34523952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.491{EFF5EEA8-5A5B-6352-AD02-000000008C02}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:47.225{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95129C459E3C0A3471ACF97924B0487B,SHA256=3FD46FE86C11E2153566EF4E2774D58E4C9BDAD715C5BF0484101274592EF07D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.258{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.243{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.240{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.238{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.235{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.232{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.227{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.226{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.223{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.220{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.217{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.215{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.208{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.190{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.179{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.174{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.157{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.145{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.104{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.095{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.090{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.088{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.085{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.081{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.080{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.078{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:47.077{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:48.514{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E59D3FAAC2C0B5FDC1BD57F51C2C68D,SHA256=4F35A1352D45BBD10D97D5A018A36F62EA2B2707DE6C3BDF984DB6AEC5DE8CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.845{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.846{EFF5EEA8-5A5C-6352-AF02-000000008C02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000199056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.336{EFF5EEA8-5A5C-6352-AE02-000000008C02}4161996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.336{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9FD7C544020363A5798570C494E886,SHA256=3AB26D4AA48CA50883615485C3ED11418E8BE1B39A6E6CBD08B8AD017141D8AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.164{EFF5EEA8-5A5C-6352-AE02-000000008C02}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:49.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3489892D6104A580B10DE96027473F49,SHA256=608DFA485240653D717805936AB3D8DF5DD9DA70C33B48D241F98668E09B03E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.890{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=435B7D0692E5E749EDBE3E3B64B92F24,SHA256=5062E7329FCF4C2657E749C28690E9F54ED41D2E8432341EEB88D15B933065E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.458{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015678C640FC042506253CE0ED537938,SHA256=9243DB9C64D54A483C0860E911B1D80064DD03C20ADB769904885D733195205D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.443{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:49.444{EFF5EEA8-5A5D-6352-B002-000000008C02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:50.703{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F66B01CC7C58656CF99DB4445F8F1,SHA256=2A5EAFBE6C1799B0DA58DA208B82F8B92F80114403A0629FD63B5EDC36AA14E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:50.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D933DEADF8C1ADBC7E7FF35E362112C,SHA256=8FD889C1E561F8124919CEED0B3B4F432B112AAC9B41FF1F8DF5559D9784FDE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.871{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.823{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.809{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.768{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.749{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.746{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000199087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:51.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C28673DF3D3B02818D602A138AA03FE,SHA256=2F8AE57E53FD72393F0DAF1DFAC0CA8C7877E655E40BA9735481461FCF6B93A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:51.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCDBF546558B152C6083AAC14B663BB,SHA256=981C331E14E907D372D6DC44743F68B43A67B76CBECFD47ECDB6B1F527C42CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:49.452{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57112-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000199086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:48.346{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50591-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:52.819{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC406B4ADE6AC1D0AA86802EFEB0E1F5,SHA256=99C7BB32D350FB15B2339C16C49B56E3E42EDE2617F89F2F5384F7215CBA07C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:53.837{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1D3EA833C3005BDAC7B095C70314E6,SHA256=C7EE6EABDD14D9DDAE3D4B425EF287B75CE1FADADEC9638AE71993AD6D37A284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:53.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD1690771D1A18A953F7F8253937CBD,SHA256=6893108D508A63A0563EF557C3D54BA0632F529E3DEAB328FCAC3844C1BEA97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:54.936{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5DB79279EAB6980DF17A1DFF2E4113,SHA256=02E6EEDFA0A2878549D767EE2A1EA0514B997F8589BA70F9ABCB9443CD3BFED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:54.367{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833615A838A37A7619CDBD616A1FD72,SHA256=3B6D3334EBF50AF6ACE4B0440BE004B6738722BBF3EAA19C6F68FC08AC02CAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:55.469{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76EED35AC53C77E8705720CF708A0F3,SHA256=6BC065E812C61119FD962F836E8E78E8404CE8392AA06209E2396005D5E81CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:56.557{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B717DB2CCB7B586FB635B644487D44,SHA256=9C63D367029B90A1B43B338DC7B4EED70DE5A6D8459E4458DFF22A08983B8EB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:54.571{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57113-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:56.021{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC8482A02BF904B32DE7FD5C36866BD,SHA256=4A69000E09757F9D66CEEBF345024763A9FAB1780C2380498C44F5AE715693C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:53.442{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50592-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:57.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803811ECCD2708DBB14705195A9FF195,SHA256=D972228C50C8C991367BFAFBF350A3044AB052E8BD9A1A923EFAAD4F86AABC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:57.138{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4B210E01100994BDBBF7214B52FC88,SHA256=755DCBA75B7252460715FBA284B0CD6A11060251ADBB16BFB7A876E7E569D687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:58.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF228A48E5F6D7D37781A85357DD65DE,SHA256=C1A9E7F4D447464F10A1EC06C9A4C7410A8844352BCC3DC6BC211F31D55D86F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:58.268{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691CABEAB9BBEA10C597A172CF908C30,SHA256=95BB6CDFFA4D92A62BE00D6712088A484C2B659C5C3F5267EA9A6D360E4F218B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:59.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD01BC747F4938B761C8560981D57CD,SHA256=6D14402F5EA2B579A5F71FCF30379E04AB721BF021E6D09FD4989ED758EEF599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:37:59.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034305FFB18CB79D88F56CB6743CBF3,SHA256=5D094822FBAA1653B99D60AA45076D700350A044E300BF57038434F93EA4BE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:00.929{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3BDF7D1E156015DE2E19629FCAF03C,SHA256=5200870A1D731495AE96F51264AD3C0420FC059CACEC0EFB2C51DE9F69991CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:00.407{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66BD242FB48DE71A8EF5D0E0CC96728,SHA256=9EC8ABDCC2BA2DC7047A60F4A693455C62711C09AB374A7A5A8490A9EEE02F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:00.618{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-074MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:01.538{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B701633C5C02E27784387FDE1879FFB5,SHA256=5578FA1BE283D2A1C8EFD31983E09F2940B4915178C7DB9D87FE16C9D3C068CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:01.620{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:37:59.371{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50593-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:01.139{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E467180CFAA12EC73A83984C9D6E9AA6,SHA256=F12C6397D2B75CDABA2451FE10354FEFD7FB19CDA07C15F3D0900959F63743F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:00.542{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57114-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:02.656{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EA0070828EA60696AE32A47BA3E468,SHA256=07142B65510296A1FCF346219FFFEBEB89FECBA75C431800E1974C35DA97CFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:02.008{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0983F11811417C0E51222C523844C9FC,SHA256=45104DDFB5BF6D5C929FDD617C91B48AEEA0E8D6420F0B8BBA641247BDFD8078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.995{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.987{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.970{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=016451A3784E1467F969D2C46A4FB92F,SHA256=7136B4FBD6A5BD654353B188EC99442836361E0099389CF9A801B49D759EEC3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.950{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.938{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.926{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.916{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.902{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.841{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:03.772{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F06B491E590ED54CBC24FCAF518CCA5,SHA256=2DF208224A0C6689AE96356B8451FEFF399EB304A18BBCB7AE5257EF1E22FC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:03.106{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D777215BAA7551BC572C8513D8CB9E1,SHA256=295E1BCEC951683C74B81DBF64B8CA3C134E86BE698908ED18BA3DBF05B864DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DDF7CD5D148740A6808F7F1E78F7F6,SHA256=CD388F7F7500EA7FDC9F1B1EDB359E529799A676B98B54523AEC6591942EFEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:04.833{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6990D4AD0C1A1AEFABAD48253F79B3B5,SHA256=9D977A9077D5D4ED3AC0C28208022671F34784F7A85E7C4512389BB4A53F959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:04.205{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA00B13711130D09A72350E10270646,SHA256=129F557CA35E85A41BF630AAD7824B0E64A70FCBBEE2AB9EDACCA72D53692881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.584{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.581{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.122{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.099{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.097{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.067{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.059{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.057{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.046{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.018{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:04.007{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000289449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:05.927{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6639BF80A134B35114F3006167D326E,SHA256=22AED4F08AB59D8514C79D6455BFD89C10B6D198B35CFCE6B59E63DABC40D716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:05.288{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAD55F961763DC5C1E98657EDC3CE66,SHA256=8D9BD18860243335CD5BB5524977DD47113EAA9E1857DA7F9B88A975F187EC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.995{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBA45C3DD51886463D04F2689C3DBF5,SHA256=B1C1530B8C8DF29B3D70D039B775EDB37AC80B5DAEF714B4CFCC36094EFFD28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:06.375{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60891085D7D7E98B6F036629C6981129,SHA256=52143B0A88C82504CA81B80CD47AEE235BF1B6720275E480470CF82BCD59C4D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.614{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.613{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:06.611{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:07.468{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A992C1B28597663D25541562BBFF73,SHA256=59CDDC281EFE9106D7D904C714607E101F27094A554F525D565219A8ACA52448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.379{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.379{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.377{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.364{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.361{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.359{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.356{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.353{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.350{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.349{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.348{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.345{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.342{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.340{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.323{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.294{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.281{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.278{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.276{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.250{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.230{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.202{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.191{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.176{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.163{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.130{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000289454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:07.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000199140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:05.328{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50594-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.556{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DF7F0A8446F8A9D2598497F85EF910,SHA256=500D422C472E14DE32EFAE84F805EB016D0A8AD6912D86E629A20266A231A901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:08.281{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5AF6ED5B2A06EB8B612D19763322AB,SHA256=E292CCD83F4FF59B652A0D18FED5EDB3CCAB3B2CC5E8C7B0A74E40233E237C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:05.562{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57115-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:08.445{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:09.646{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C568D73C02035CA4EDDDC7FCA68B4,SHA256=583ECAE49E624594606243BDD58BFD6C1E7054ED0C439D5D6672138BD449236C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:09.384{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB0B8E1AD4B060FCD9501DB07C6FE7D,SHA256=0451DC38DA3E02862B56FC1C76A09A98BE0F7A74566B3475FA0E8FE8F8869E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:10.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D702784F689DF3DD2780E803170D6F8,SHA256=D61677778B7E5186CA49A5A531B8FEB61B7104E02144E940BDA69256C37EF2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:10.485{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF01F473980CFE32662ABDE9C109994,SHA256=BD62B2A0CD08CEDAD9DC3BF4C9FBAE5E88C42F2E7BDA8744EE504FDF5D161E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.968{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.962{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.888{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.883{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.836{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.823{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A3DD55C6CBB91A86C7EFE87A8FCDA0,SHA256=C79180223775F83BD78F3A60B5564B2A8587726341C5A7B1CF85DA2E3E086DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.820{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.808{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.799{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.788{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.779{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:11.776{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000289489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:11.603{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B1904B1D2E6B4E821ADFD4A59D7FD,SHA256=8BC2FE5566ECDC35F7522EB481592AC0CE4504286296915FB86FEB2AFB5DC862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:12.961{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78A988D63A5C507231BD8E35C59BF5E,SHA256=3F1AD6FC5289B08D213FFC106EC9DA9F0B0D7A4C1356909DBB4262524A6B4BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:12.724{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE73A2F7B35E0708B826BA7572A05BE,SHA256=A87680FA16F3B0F92960BF36645B58C51FCB9EDB5E9B6C0C5B30D3DBD42F1EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:12.657{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-074MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:10.561{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50595-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:13.740{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86AFA371C7503BC9CFA3A9ADECAAB4A,SHA256=880D491485F3E64BB49EFBF71608DC97F231EA7CEE93B4FA684DEEBCF39CBF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:13.657{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-075MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:14.757{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E98111657E2179138D66892BBD2246A,SHA256=2C79D205323199C4359ADDD5B1CB302A4E0856FBA2ECCB7C4FCC9DA9B41FF187,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.364{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.351{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:14.009{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D4507116CF76B712A8A6D14076A2B6,SHA256=ACEC3AB46D09D448AEF5105B3F10BA9DB27EE58D67D3AE31B41BBF90E89F50AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:11.590{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57116-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:15.926{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF46c520.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:15.888{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666A07E98F45DD85D0439CF104FF623F,SHA256=CF4D23C3CD4B13A457F08EAF7F56779F4D696D6D2873042E950F8120F4496455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:15.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82836F135140F1CBC420B92CD186D52E,SHA256=9BCDBCE80A20043FEEEB71B822FAD6DD1C80EA339635C08DCDA1BB5DF5576397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:16.174{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56396FEFBA786FEB9594C13A527A38FE,SHA256=44300F942E16466EA2ABF7728CE52E10089418878C2FA903996A8BB402CAFB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:17.276{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5904FD9A9CA493FEA318EA6226FE9BE8,SHA256=095DCE807B03F1BD644B5D50E932BBA26DC4232F6A526D0067D95F494E7497C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:17.007{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36104BE5CADF37144FDA8D7D110CAB3,SHA256=B0962DF87C8F4EA601B14F6369BC0F36F9D093B20CEA0EB030B0C0F1CB01E358,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:16.479{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50596-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:18.378{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CF48C0AE0CC97291F5008D816F9858,SHA256=CAD1A78D3817FEAA9861C34DFE1C5BC028E253325A942D9564327E40CBF4624C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:18.128{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04AAC0D766CA2334BC926C0400214B03,SHA256=53C8124EE06C222D6B54B23C69E2A46A92A989DACE2A705295537941FED45638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:19.467{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E882FB7D620F23EA8EC24D175006CC82,SHA256=BA23DF6646105B65833BB7A08B115B007844A0A8E9BB8E3D0641914AE07B58C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:17.498{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57117-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:19.243{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF331A8E4E47E8BCB2624B41C7243320,SHA256=5C532619713713D1CC786B8EB27EE67C86AFC1E862717510E6B74EF89D871D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:20.551{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88042D6CE5F7291BDA3F5CCA4096373,SHA256=94E453568D3AFC401AC93AACB900AB23FB15EAD1B0285B8FD916645C5852B216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.475{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF02B5D3BCAE926C50736105D8C69109,SHA256=A201A55C0CEDB9D4F744C6124472D384E4B870CBA9785AA6DED3DAD0667951C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:20.275{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:20.056{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E366024613BAF0AC2E42202E7E625D0C,SHA256=7B8F6FF3B4130BF9CFB315AAE52F44FA71C7E1D12E9284285533568CCEBC003D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:21.644{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55B40F6BF801B902F52D54A31D9F32B,SHA256=4E73497CD2584916D15BAEA9693708EC61E76796776DDD4B809C15EB6F04AF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:21.375{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5985A47A9348CFAE7EA5364D3ACC90,SHA256=6175D240A537EE33533097E3F64BB2B2F777CF4478F7DE988B6CEADC39AA6266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:22.740{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FE57043C806FEC11DFBF1F61F4321B,SHA256=3055D82CDE6EE1EF160D27D8AD01E3A9EE93A9512B2D0392FEB2E78C905838F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:22.475{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2377FD9B8412D9C577AB0755551EE413,SHA256=9867182E530F54C39E0158F9F563B0E8CB417247B7C6C5338332604019CF014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:23.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E505C145DEDA9B6B56D910AB34278F8F,SHA256=51FA4D4EF9550A3C08B093C46A8BE1C69BEBBA0088FC5BC44141192822C51072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.966{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.936{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.929{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.920{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.910{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.854{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.852{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000289510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.590{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22835FC9951D46E3AB3218356F2053CA,SHA256=48578681DDD4026235FBCCE6E9A895BFFEC79F43090934CF4E1739555B80D4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:24.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0DFFF445A58ACE4B4DE6A2DEBB2845,SHA256=41200A9FE516B6885D2EB1D5782365038D69D35C20738B42FA2808B7044C7118,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:22.413{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50597-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.646{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142E5E78A15EC49AB4992D3D59077DBE,SHA256=FC1BA573F5D6F0742F6F59740FFA977620EEC9E8D82DF13994AA6D24E6A5AB52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.567{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.563{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.168{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.159{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.156{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.145{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.141{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.119{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.114{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.106{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.103{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.095{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.075{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.051{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.036{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.020{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:24.006{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000199193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:25.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97941B8A0651B095EC8746762302CFB5,SHA256=CDCA887D16C7AA728EEB4F80B19E01409305306CECB88416883C4D7BF93A3301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:25.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1591004B5D8B5BCDFA9B9C67A20BCF16,SHA256=5042E2B5D74DA6542594C4E1D439CDB8A4A1CAE01D581F82705B086088775496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.816{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E85E10939ABDC02495D559BC767CDC,SHA256=C4C03B4B530FC8D77B62759A610F8676B320900D2EF88462231A64A37272F7F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.598{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.597{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.595{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 354300x8000000000000000289542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:23.429{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57118-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.327{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:26.314{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:27.009{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA1E7161BEE11E2A31F35C59D5A713B,SHA256=B5B73861E522BDDEC007502A0A905DB9D29451300DE23CF731AFC73C211BC746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000289579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.697{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF46f316.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.390{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.390{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.387{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.373{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.370{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.366{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.363{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.351{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.347{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.344{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.343{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.337{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.329{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.323{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.311{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.273{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.259{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.256{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.246{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.221{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.190{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.158{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.151{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.139{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.130{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.128{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.124{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.120{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.118{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.114{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000289547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:27.113{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000289581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:28.135{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D15DA550B89FA083A4A1F290BEB9E,SHA256=2BF8E7D15AD939C1892BCADF2C7CFAA57259E111AB7CAC861153B115B8943D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:28.102{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA615E96BF1887A768A6E9720EAFBD9,SHA256=E4C1F96F24C401F62E58D55C9C7A10338EB8300C9B53E5CCBD80D824075D2414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.720{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.202{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34E590C4B80C7704D5100C8378C20CE,SHA256=005DE7A27814C41AA3738F35ACB5A98B2B7A8682D2994DABF18DA834AB584873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.882{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.798{30B46F62-5A85-6352-6003-000000008B02}67847792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.582{30B46F62-5A85-6352-6003-000000008B02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.198{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EF8895FA440CE1E073AE9725F3E6D4,SHA256=5AB7A611181D248EE4F5F0F1E93CEAF58E3A1376ACE6ECD859C47E2E184C1632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:30.305{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5CA4872B20B6DB259B9CB3CBEB603A,SHA256=4148C24B426BCCE978BB59AE60EA5FD0D555E8694C2EB651E0F1206206385C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.935{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.936{30B46F62-5A86-6352-6203-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A11D8CD71D2735E052EA95B3DB0645,SHA256=60F4581AF32E56C741E1F292DB0036561F8DA5CAFB1C3C61CFAF7D073473C937,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:28.503{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57119-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.351{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2FF5564AB010F02981622FF93238BC6,SHA256=06928423F3193461FC9A4D475E7934D2539E8CBC1D58B222ABE1DF3C4DA3AACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.258{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.254{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.253{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.252{30B46F62-5A86-6352-6103-000000008B02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:30.243{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D93AC7348C948C831911A7528464889,SHA256=1CB3FC494AA1A42DA6C479466D9CC0C43AA558E66201E54F9D09D697E4526F35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.885{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.877{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.826{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.783{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.775{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.768{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.761{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:31.399{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793144494F5CACB6D7D0808C13AA0435,SHA256=35575DE7D455F02223D353CDB813C4E6E92D88FB5C04E432D553DAC7380A19AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.325{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE795049A7A9DDDC839B5ACCD26A783,SHA256=E436F9561338EFDF58AC1A0BB24A8D97B0530A0ADA2E2A3ABAE82A673A35CC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.306{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=64ADD695E0BD677F127ABF7C4D23977E,SHA256=A32329AAEE0B2A1E578340B025AECF8BB83425062726CB14613E83F2873F8CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:29.016{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50599-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000199199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:27.554{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50598-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:32.588{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20535E47F2631A46B9AD55D2DB033F61,SHA256=2C8BDDA77D29AF2344C9C807233D2918AF23198C03E4A90C062A7F6B09A14CF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:29.203{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57120-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:32.418{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D452BA50890B1FB44A14960BFA6B154,SHA256=73AC7DDF4464A3C0D5D97CC47CDD66FE36E454EA976EB9351B3EBC8EF79F42C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:33.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B21473C4422E5E98007DB73F8C9E22,SHA256=DDA8DC001A9BB974192E9E4B1CD5395837B08820499549D79906741E1B6585F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.689{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57121-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:31.689{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57121-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FD20DBFD07817484E44788BD214325,SHA256=3103B71B9255C0A2176B99352D42BBC76ECF7A8E05797E456FD7579DB35CD5A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.483{30B46F62-5A89-6352-6303-000000008B02}81206656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.287{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.283{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:33.282{30B46F62-5A89-6352-6303-000000008B02}8120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:34.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9DE040E73803F85AFFFABDD485353B,SHA256=6C8231B23F1D956A23D783C5AC0D8FD1D8633D47FF56664BA43BDC16C7BDC2DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.987{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.988{30B46F62-5A8A-6352-6503-000000008B02}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.747{30B46F62-5A8A-6352-6403-000000008B02}77128048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.626{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14CD50A2EE69AE28AD94DD907E13D9F,SHA256=B624F3D1589A2EC5582E8811BE7C58094EE38BFCF9BC7AA5F8E795AEE5CD95B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.484{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.485{30B46F62-5A8A-6352-6403-000000008B02}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.453{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:35.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFC5FF9E0EE204775B33A030EB6916B,SHA256=AE7995E43E7FBDF6F24285603FCB5A410FB1016CA9C8B4D323955DC68518D3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.687{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB019ED9E8C6BA56992FA462BB0A4539,SHA256=39B8887BE82D56304720FE740467256330FE828C7729B51798D5EB5FDBFD3096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.672{30B46F62-5A8B-6352-6603-000000008B02}8060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000199234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:33.460{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50600-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:35.187{30B46F62-5A8A-6352-6503-000000008B02}81563416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:36.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB82D89E3A2B1E6D7E8B4422B95F615,SHA256=A8C3A77F9BD9BB13E59411EBABFD4BA39867B24AD96571DCD3A4AA19287031AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:36.719{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC179CACA96E2061A56913CDE2E1360D,SHA256=BE0B8D84E92B66535AD34F2F0F5DBFBAE8DB982F123E5D4399EEF3172F592F00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:34.407{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57122-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:37.819{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFE006B3CE768A203F986F2078CFE75,SHA256=CDEACCC2EEB02B0DD395816CEC4CB5A943D9EC5034753069AB42232BF48D25BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:37.083{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F0CE0E5E2F8D51A64383FFA8CCB18E,SHA256=6CD286741BF71ECA4CEE2F32CF4C2258E2842049D039B1C841DD98C139E0781D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:38.935{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630CB12A246E5546E06295A85F4A221F,SHA256=904D368406E74187B75833857FAA92585C9F6E5BEB36AE508F7005E16CCFDE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:38.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F8FD9052823306133E45E95313B187,SHA256=45B19524BF31DAF1840BBA54B3F8D102FF148A2FFC4FED64F42FF598B08F2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:39.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB61FE301C8A25BCE83C356F9F2B451,SHA256=07933C30672520B7D7C03D84AA5FFA3206093D5E12A9F2CBB0F92302A8757EEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:38.502{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50601-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:40.474{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEE293199C9F47F597129B2017B4440,SHA256=36DBE289DBAD12AF2993CC5A77C3BB30722508F734320F57A46DAA23B61FE884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:40.036{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEA0CFED482B94790ABAE84FF462332,SHA256=E3D051FD6473C7379F237D622B24EB4450C785B6BD47CB114ED00E390CE69EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:41.567{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDDEFD48709796E9B43B661D6EEE9D9,SHA256=43E901F0BD93C6F3DB04E7B5282E35C1EC6B9FCADEDB4710B119A56DCC1CB75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:41.054{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07801F0D827B8A7956B036C4271737D,SHA256=653CB374463CA90D6050B1644690AD5362698D3024D6A15965BD52B8153DCB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:42.641{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768AEFD51B1CBD9D8FB263FA242A8391,SHA256=E0D17C8ACE42E1696874685A109A2CE430EF8836D29F6EE4A56EF1CAFE92AAE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:40.410{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57123-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:42.157{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDC07477D04AEABDA24693527D7D481,SHA256=BFBFC26DB7C9046015E7B46B1F179F2231D1E53E59941D2B6801B5ADCAEFD4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:43.728{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BE013CEA3F5A33E3F14F71500F6991,SHA256=A5F00E6A248C14318DE662E4C8152E39BAF360AC5736B5CB2D8636711BDC4033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.969{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.952{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.939{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.922{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.908{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.841{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.837{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:43.276{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1319E9FDC5F3A2252A32816812797684,SHA256=57D9FC6B72A4313A9F6E7E4605C779929B9C023E0AABF4C5657D337829D854F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:44.824{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41BF30C11658C7E8A12B0EB76D40CA3,SHA256=AD6D6A47764F6992D61405EF75C4DB371891B002A1118E922729A67BF1FB8379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.518{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.515{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.339{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9290A463BD6116C5804D39B8CF504971,SHA256=7368B913284CB352D5BABF9DB3DB65FC6FDFB108F8EE0A133E8F456FA2380C6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.138{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.131{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.128{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.120{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.118{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.108{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.102{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.099{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.096{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.093{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.083{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.051{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.033{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.021{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:44.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.926{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E011996C5A23AFE6EBB0D698411EBE,SHA256=1F7E2E7AF6680809636C4579A6D103E3D22A476D3875B26A83C66D63379B7ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:45.428{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93252FBCA7D3BB021FBCDADEF333BB3,SHA256=558F63F4BD2994CE680890722A32AF0CD39F9AB16F6BE45817513FD11C0D726B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.644{EFF5EEA8-5A95-6352-B102-000000008C02}19001004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.488{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:45.489{EFF5EEA8-5A95-6352-B102-000000008C02}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000289698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.561{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.560{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.557{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:46.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A101854F99149C5B2FAA37C5FEA70CA,SHA256=A19FA4862C700F97FBD62E2FCCAC469ACC63411CD3B23DA6AE7C439F329EADB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:44.417{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50602-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.826{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.827{EFF5EEA8-5A96-6352-B302-000000008C02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EF69D9ACF04DC3714171ECDC3A3EF9,SHA256=BDFE780F3C0ACBADFB0FF229E61DD9466055FFBD405EDE709A7EAB09649900E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28F29151D70454375081274B14B16A81,SHA256=122B8B32309B24E2DF0F2B13971F7E5BB49423E5FE8FB061131EC9F276285750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.160{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:46.161{EFF5EEA8-5A96-6352-B202-000000008C02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:45.478{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57124-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.711{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94B7CDEBDDB38E4077A253A421F645E,SHA256=93EDD60C61B25B103D013878F26DB04AE86D8A3551D82219751306D4DCC5DABB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.642{EFF5EEA8-5A97-6352-B402-000000008C02}32323464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.501{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.502{EFF5EEA8-5A97-6352-B402-000000008C02}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:47.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6783325FD4E601998B0B236A5C658269,SHA256=3863D0E160BB98E06A45C0CBEC1981A6F3680BA2585AA3113E137B6C7B8D1CA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.257{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.255{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.242{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.239{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.236{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.233{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.230{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.226{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.225{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.224{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.221{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.218{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.216{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.208{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.188{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.180{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.179{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.176{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.153{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.136{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.103{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.089{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.079{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.071{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.069{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.065{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000289699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:47.064{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000289732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:48.843{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385D474791E5049C7BC8F2C92CF57FDA,SHA256=DF355D4520C994D1AA4BEF697D35228A904ECEA44BE37020C5298A5BF8AE675A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.523{EFF5EEA8-5A98-6352-B502-000000008C02}35043268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.410{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B20FEB821149BE62F6E5C8938D9099,SHA256=A02478152173AD43D1AEC2DC8BE5E6540D2EAEE55385D919298BBFCA2C4E4CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:48.174{EFF5EEA8-5A98-6352-B502-000000008C02}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:49.944{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A7741F1B18EBD3D5A8D15EDE0CA8E4,SHA256=1B3EF8E051C698CE67B81163A6F00708485539D2E5E86B2019BA2ECECB3FCD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.718{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.719{EFF5EEA8-5A99-6352-B702-000000008C02}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.446{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D699562043D4FB15DD442DCAD366AF0,SHA256=2D11D60D49EA73DA9775597CA4348681ACBBD89AEF597C7252B926B4885A1151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.399{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1F1C2795A2284DFF62A7DFF3A377243C,SHA256=4FA406DCAFAF6BC4C8EDF40ADC5F6E788CFE2B3DD02EDF5DA970DFF9779D6A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.209{EFF5EEA8-5A99-6352-B602-000000008C02}2748500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.051{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:49.052{EFF5EEA8-5A99-6352-B602-000000008C02}2748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:50.528{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F082C01711CE51AF0536C6C6984FA97A,SHA256=32E86098C11B59AE4A2CDE9475E70280AA19BA7CB49A2261C81C6C7F2260A11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.871{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.859{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.845{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.838{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.831{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.796{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.790{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.782{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.774{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.760{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000199349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:51.623{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6886E191B84AA632386915E6FCECBF21,SHA256=D0880705690AAE9EC7FA7E3FEB15C1793B8F38E0094CED35BD45C9F8F2BEBF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:51.061{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862098EDA55E9DF44B708A68142C5442,SHA256=10EE28EEECAB2575396514C627E981BE469D7C7D749A65963BA5603544BC065C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:52.751{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D3C50E73AE2DBFA8B89ADC8A5AF54C,SHA256=8FA2442EF00D7C7415D015DF392AE095B20B41E062EA272F3F856923ED48013F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:50.580{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57125-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:52.228{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB7D50E157507F4F62E356B03095498,SHA256=741FAE34BD820E381348AAB98AC3490AD6283F832DF46118DFB78FC0773483DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:53.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4790DD546DD49BFACD4BFB780DA8AC4,SHA256=27195DF120177C083BC3CE0960BEC231EDE102A2E8C444E569CFA6488DB1B402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:53.300{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3DFD3CA454C18C2334F8037844E771C,SHA256=8A1ABB8123D08519FD9171835030CE007CC8E6991EAE0D74BA846A311FF37A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:50.340{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50603-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:54.904{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B80E05FE5B7B9A7B72DFF5BAE61466,SHA256=4156BB09CB171C5971661CB89CBC226941474125443EFE5EA1F7266B7003F24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:54.367{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA1075DFB03A344382C55594A54B59F,SHA256=E9C74F580F304E4A68DCE361ED22261344697D5342C6B433EDC3053291FC02D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:55.997{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC974721AF56B61F33E673DFFA353078,SHA256=11FD15197150243D1FD7FDA981F706A8018D35C10C5338E228BBCC4FF3C455E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:55.452{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6C1E244CDCD8F9A149DF027F967574,SHA256=9C249DD85E28681EFEA0D5A3D3919C04E3B8984EBD1CBD6050625BD642BBFE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:56.554{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D59E22BCEEE166744AA436D385EF16,SHA256=D73788EC42D1631929627E1D72C7BCB4F0110E85ED0B4D1F662E92D670278382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:57.655{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDBE9501031A1CA7D9BB3FD767BC05A,SHA256=2B07113183177D5F673C675FD0739BA9280C57B6DF289754A23BEB0F94C7101A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:57.099{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BACCD65C5AF4C1AAC3DAA076C0181D,SHA256=930E0B59EE950A7072F51ED0AAAF2DAE58467DD89522C1ECA4BEDD85B488FCB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:58.698{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127B50D322600D3F24D004F00BCA4047,SHA256=DBFA414E3CB594FBECC1E92A09ECEE13C0D26B9DC9A516FAD0DC0FD6A01C8DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:58.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D9905D5EFCE6D5ABD01C3744E05840,SHA256=FC7D8E9740A0D46B1C6B8D0955B1234CB3F4098371C9E611D870651825C2F25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:55.465{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50604-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:59.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7938F8C835FA9DF8CB28AE9A88713CA6,SHA256=0883259D32D5886FC95750C9CE0F715A199FF4F1DEFED2269EA30F903B07AD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:38:59.182{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31120B9853438A84DE55A635FB26581,SHA256=3AA96CD6A56BDB6BDDEB8A4291A8ED10519E79BDD2DEE986EB7DF58814ABCC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:38:56.509{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57126-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:00.815{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F67F16E6C7082C47FA1B403BDE45AC,SHA256=B8E9B9EF4C5D528EAF7F4C9BF7D538DFE489B4BBF19EDE24C1E1A11700CBAC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:00.275{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671B15BEBC1D903ECBA627310C6EB8DF,SHA256=67A3E633020811149C8B416736F3753B291A2F20BED88C18477F1B09AEF5F53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:01.881{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89BC646BB5EA6ABB82F68C95024C94,SHA256=E37FB322D363EA195207DDA2E266D331860A34B965A1AFDF023CD5B38CD993A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:01.353{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BA5C564A6E0C8DC564FB21C2A5B19C,SHA256=27DC501B73DB398EDD0A3D8A962645B0F5C4B23C87C73574CDDE87063F38D495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:01.516{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=886565B8F46A102EB6A26995A018F3DA,SHA256=F3E155EB026F865C6358D585D86AC5362808E53523E3C8C31E8A6573F3B45321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:02.965{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5A6841592B033375A5828694C15271,SHA256=47E666805F5217557E7C11CA3F78B8961E706A2B0BC8FBCD69A9C94B58B50B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:02.454{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFEB4E121EB14DD21551D6DA16C3D4F9,SHA256=40F8FDD08C77C8E3E111EA63C7BA5AF45986E0B3CD2F4F01B844BD866E16E4AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:02.144{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-075MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.999{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.991{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.980{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000199394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:03.553{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6021E228C0096BDEE06BBD65365854C8,SHA256=D1383F1FD3E5096301B6E70E7EAE99861E7B3113E92E425FDC0613AF1AB88E42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.970{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.968{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7C87F0E2C09BD5FA6FD5A26768B38B4E,SHA256=9386253B57BD13A6D8DDDF2837C746ED93B19195C5E60CC474CD116FF7FDF2E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.943{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.925{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.912{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.899{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.890{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.828{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:03.822{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 354300x8000000000000000199393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:01.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50605-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:03.143{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:04.844{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=063E77C41EC7490CF759781CC490B20A,SHA256=F5EA82485D1A40C929F094B5611E39291C9593F20C89F7E114E3A6C90DAA4CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:04.641{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8584D00C6AAC763A8D35B40D520F42E2,SHA256=396A706191CA8F3218F0810CA93BEAC88BE2092A7361F0DB5006B68ADC767BFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.644{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.639{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.091{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.083{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.078{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.068{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.058{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A0B27BD3B50946219862F868D57E1,SHA256=B08C89EBB43E3544C58937A722FFE4FF6F2282DBD04B365541B0CF7DFCA87746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.048{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.039{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.035{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.034{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.027{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.021{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:04.015{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000199397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:05.742{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5081FF0779D73BF19EB6E829A31461,SHA256=A48BFB7B75DC9DD6F759A6097A9377EA75CFF086513DB5F56C3B63C6A8C4ADDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:05.091{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77D44EA56765C3AC536E5FB1CCD9F70,SHA256=E7B897631759195D52E60CA29A607A0AA2E611148BC9E95D7AD12829114F6A36,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000289786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004784e6) 13241300x8000000000000000289784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0x31df2215) 13241300x8000000000000000289783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e528-0x93a38a15) 13241300x8000000000000000289782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e530-0xf567f215) 13241300x8000000000000000289781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000289780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004784e6) 13241300x8000000000000000289779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0x31df2215) 13241300x8000000000000000289778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e528-0x93a38a15) 13241300x8000000000000000289777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:39:05.022{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e530-0xf567f215) 354300x8000000000000000289776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:02.440{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57127-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:06.828{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8814BB33029EA2B10E7594A4D889951F,SHA256=60864490BFE41CA514339E675462538D247B42206D0A22A8DDE6101F0E2DE829,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.675{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.674{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.672{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:06.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E5D2D3A356ACD886B5F98E6B131515,SHA256=BA3E8F8FA2A08F36C6071BA2606379BA1DF5CC83F239470F32DB4D64E14118C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:07.916{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C55E754DCBBCB1C5BD9FF0136C0C96,SHA256=073A5A7B320BF75C0EB7B54A39644D716EE1C9412738F5D882BCE6A431B2CB22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.363{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.362{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.359{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.341{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.338{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21163ADD2C787B1070D5014C06FA1107,SHA256=286EF27E6FECA964DC4EC33590B57AC49B2AEBBE0FC68896CF33565CE161C962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.336{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.333{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.330{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.326{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.325{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.324{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.321{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.318{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.315{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.307{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.283{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.274{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.272{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.269{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.254{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.244{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.223{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.217{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.209{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.204{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.201{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.198{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.195{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.194{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.192{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000289792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.191{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000289824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:08.374{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC04E59A83F551F2AE23EF1B3D7AD2B8,SHA256=7B878A596CA63AEBD0FCFB64472D6CB8DC764B9D57ED66C8106DB1706C0BADFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:06.453{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50606-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:09.460{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF026211EC18F401CBF6864F40703B79,SHA256=5C7EBF516D7DA5DA47C186EEEA53A9ADE5277D1B287CC113763B3356899500AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:09.017{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F640434513A7470782D9BB7507ABBD78,SHA256=DBE559CA26DFAAF184C8D2BF40CC54E06B33B5601EC923D020B3733B80C28D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:10.546{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E986AC11B096C21BCA535A6F852313,SHA256=3C2D063DCB583F7FD2F9ECDCD78FD2C33B92E61E0EC5EBA66E93B424A3CA176A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:10.104{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5550F48F52B642C03C4DC72D276CFDF4,SHA256=E3B292193E994C9A41C030FFAA56DC44E778CB9A83B667EFA8AAE906A94BAF43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:07.565{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57128-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:11.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B691A2360313CD8DB152E65AECC93C93,SHA256=F122BB6293F970264B51DFDD899EAC3529809F920DBA5C2FFF5856453C60F003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.987{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.986{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.965{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.813{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.801{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2124A856D81E17FA2F250DB7912F7FB3,SHA256=0C883059CC19A18D1C95714AAE6C1DA9C0F19AD21523E6299FD88347FC888EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.501{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACACD410FF0D16F7E149990CBA579459,SHA256=D0C09C2735CDB2B2F17BA5E021A87DAEED1681B2999D7FC3BEF93932BB8AAA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:12.697{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FD7360A96B6EACBBFCDC4602CE3915,SHA256=37CAD287D2DD3D106840B6D9F46BFBA524AADF460EA4BF2B250455402867B603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.010{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.005{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:12.000{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000289830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:13.782{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85BB23F3810F15CA06AA7AB3FFCBCAD,SHA256=98B44E4A7F7AC7BE1994C0981E2EC2AF0A8BA6A3860E84C127CAFE2D8FFBA48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:13.588{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC73BBFEFEEB753D6EE7B333E40C047,SHA256=D5D7834C4B3EC73EBED530EA79956D8A27D5C8D5D483406EDD05457C6123482E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:11.497{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50607-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:14.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3591AD488EEEE9515BEE8A54AD5A86,SHA256=DBD090AE58E17CD87CB55915EC0476AAC545FEAE3C66FA5F84CEDBDD762170B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.561{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A480356BD05EF8B6A72BC64730DB947C,SHA256=9E5B63FD2CE5564C56D90248DDEE312B89D6C75C79CAE79AB9943E53E071F647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:14.171{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-075MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.369{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:15.658{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13E07CF5E7520DCDFD9B398898206E3,SHA256=65CBECC1716ED45DF7A5699A71521057CBAD03AEC5559517E80E6B6166C6B21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:15.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A3606E3A6607F1767315CD162E481B,SHA256=49CF2E3F742317555D03D5B0257AD0F329B245813F601CCD33AA98AE3DCCFAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:15.171{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-076MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:16.752{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3439474D27228BAD81A3165D1142A4E3,SHA256=40C098FEB1F189231EDBF7B59400FC6CC5668EE2E819312709C1B74BC82DCC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:16.990{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB4D693B2D2C516FF4BB45B5849A256,SHA256=008DDA54D9883E79E0EE79126B7BEAB6ACA681622BD6E2167C1C727D63F8CDE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:13.491{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57129-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:17.855{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D3E4B4FA1B660D439E9661A321914A,SHA256=2B0887A8FE5F6E0701599CA07FC347EEAF39F0B9134DE7A82C410557B791954B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:18.946{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6688F66E3D5E93FBAC8F6F6F9E1711A,SHA256=7AB5549B4382814929A1FE835C51C3C2232A7D6431A8F33BF2C364088429FDD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:18.075{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491FC5E1F8A40344BEE9189F93693408,SHA256=66046273D9111A3601C8D0C8C57EB27030BF5EF0065C5811A880D80E380BCB96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:17.364{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50608-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:19.570{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2C01F1CA03D3996607223EA44B25B0B2,SHA256=D60A1E50CCE63B4594322F6E810127F523CBA3AF7A01037FE124D7F1EB56B576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:19.111{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D772DE38021D341F969035F49A3939,SHA256=0F1C9DE39E57F13ABA5AE6C2F61B2D29C1FD6739BD1A5092CEE0FFC00850C236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:20.023{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25E835D68EE4DC5EDFA5A92D9A402BC,SHA256=BDC6535989C88B3148E433932898014CF9D3F230B20B70D075F135BD2FC4ECC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:20.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E1B0A8A7EA79D54F325D9678906CFF,SHA256=A8F6D51E53CD41BE8A666F062E10AF89CC367F9D86FD487B9418A7457ABCD8BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:21.118{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E341CAB42123DEB361FD8BDEE0DEE22F,SHA256=64CD9859B0B6B093AD1A399AC5010AB38DCBDC292C47F9AED838D5AD39B530A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:18.585{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57130-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:21.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F00150EA27E9D73996D258D269EC13A,SHA256=F6FF0CC6513ACFBC603D9E8A447A7A39DEAB0B9094C4D2B19A62A7291541AF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:22.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777BDD07AADF033A05CF369C280FC623,SHA256=86A4CCB8DC46D578C0F7A6395C88AF020AAC2F2CCC77CC9699A3C5F731E778AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:22.298{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD39BF01377F8E2CE614377B9919CF7,SHA256=16AB078B2FF1D555B369A52044D110C235C140F0120408357E362C4571288C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:23.293{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6411A3EF86A0F7379E3E36349396A8DF,SHA256=C881B5E75FD214035CD6B90CC66D15B9A6F87C4D326C9EA25837630F408CBAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.988{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.973{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.916{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.907{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412576DDB58025BA717640D005D26123,SHA256=53F162AE5ABF79D542CCAD2B923C95668A1052A1285EE2EDBD6AE101A5E7AC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:24.396{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9487AE4B0A778B53CDE2C0235FE49B,SHA256=18FB6544D5AD67FC0FC8AA5D616E0343487B9437DE4C8EC69EB3C695311ABBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.614{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.612{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.400{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965C865FE54AD9C61E6F496E63FCD487,SHA256=F29A5192BE6F847322AF517335FA1A4FD5F814AB6F42B0DA69098AD7446718D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.242{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.231{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.229{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.222{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.219{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.207{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.194{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.188{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.185{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.183{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.170{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.161{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.135{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.122{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.103{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.089{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.029{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.007{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:23.999{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:25.458{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC44941ADE3DB89DC3C82F99ACD69B,SHA256=4D9FB3289D4BAD25114D6F63F99DE322C700E5EC5D9D3080CA5ECDFD169AA6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:25.486{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7376F3029E49DEA1886087A1563230F6,SHA256=9DDE7EBF3E112168F24732E74CAD0BFC89E73772680DDE2FD8FA9583B09644D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:22.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50609-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.649{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.648{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.646{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000289875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.545{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DED1DB0EB595ACDE5BA2AD953A9CBA,SHA256=7E23D2D6BE226AFA2A1501CB4C0DA691F064DF440F3C7E8572F90B413A29D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:26.587{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8197150A145804ED5354BFCE69EAAC46,SHA256=0CBBD2788D9AD76F8992F6D4D638613885FF1E298F1D1BEC1A180C9FE257944D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.332{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:26.312{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:27.682{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76F9C0FE53091B95E00A3F857208E40,SHA256=EE47F6BBAD4441A887CA0106D1A82AD2CA07009BA2F318530ACE1E63188DAF70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:24.463{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57131-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000289909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.370{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.369{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.367{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.351{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.349{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.346{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.344{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.340{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.337{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.335{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.334{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.329{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.325{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.321{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.303{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.268{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.257{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.254{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.251{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.235{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.227{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.195{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.189{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.181{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.176{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.174{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.171{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.169{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.168{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.166{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000289879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:27.165{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000199456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:28.786{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A60A063CFDD88ED8367F2B7BA172E4C,SHA256=D1E9B79A85A343F06296E1CAA787F49142DB4CA24E977862E7DB910149142757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:28.048{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791088BD2F60DF9F497A121294765FD9,SHA256=51767EA59D1874C042F5E7C75811951FA5D8DBB8902C36098283B9099BAD7627,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:27.544{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50610-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048733B706B59F407653816E67B9B0DA,SHA256=95F730F5C9991A9A7B7658149B932A6FE543E3E6E310381542E688E9A437B36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.899{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.798{30B46F62-5AC1-6352-6703-000000008B02}41728124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.582{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.583{30B46F62-5AC1-6352-6703-000000008B02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.066{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F8F0E3EBF2954DAF64072DCD9718FC,SHA256=87B37A75980F4D86D5036C8E8914F442EF337F48FB661CCE60AED4A7FE4BFE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.741{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:30.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1104B8AAAAE79D76A8B6F43E73AA6314,SHA256=C4A3DC3C8BBBAD03596245DD784986D6FC6E2E6786101D5166ADBBA1DDCDCFB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:29.037{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50611-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000289941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.854{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.855{30B46F62-5AC2-6352-6903-000000008B02}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76135BC837B2258BB647AD678349D4ED,SHA256=BB514DB228140CEFB4BAD22486C20FA5885F6828F5B235873E9A03933802ECDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.236{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.234{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.233{30B46F62-5AC2-6352-6803-000000008B02}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.108{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B25057D40521396D5FF26F1C7A62A5C,SHA256=ED048A5EBBCDE982C5DD1E6F64C4C7F328974058C62DF7F384BA9101A2B5AF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.069{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=683672C4E918098F4E30BC5DCAB109C9,SHA256=2181FAD0777E6C6485FED53323DA9934D5F2EC27966F7FABA56D1F994FE02415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.956{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.886{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.884{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.867{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.823{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.798{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.791{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.782{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.762{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000199462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000289944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.603{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8002CC3A7AF18CCCE281946F41C3EADA,SHA256=EEF561F46D12C981A67D961626E6E696A42580EF1A69945C9B8D03EBF336C07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:29.222{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57132-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000289942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.178{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC8C45464AC043EBB0A66DE85EECE94,SHA256=C5600E13AB16C4BE2E92E483954BDA225F943F25B15A0632702C0EA7CDECCF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:32.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4317914CC8D1027E6C989A1F6CA038B,SHA256=6DA14AC719926F2D518D57B5528676BBA79F5492121D696588421683B2B33067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:30.376{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57133-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000289945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:32.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFF07EE3804F506A0FCFB60AB9CDF1A,SHA256=7509D0CE419D856B205CA017FEADFDDA20F6E509C99160C9EB34B37452E1B3B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.475{30B46F62-5AC5-6352-6A03-000000008B02}24362536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000289955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.290{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511DEFD09196D5BD5283C6358550F1AF,SHA256=CF52111C6CB1F5D2DAA9F0A50F93FE44FBE9E4D953FB57F5769FD6DD38FCB1FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:33.275{30B46F62-5AC5-6352-6A03-000000008B02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:33.040{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6481B3468E20498EFC9FAA16EA5D24,SHA256=55B4549E7C24D2E1E7579D83E61D076D04D4E6F2CF7E6DA7B896E42DEE9B8760,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.692{30B46F62-5AC6-6352-6B03-000000008B02}74046372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.476{30B46F62-5AC6-6352-6B03-000000008B02}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000289959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.697{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57134-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000289958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:31.697{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57134-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000289957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:34.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78138A9F894276075F89F6FFB4540E20,SHA256=6D286F42C736463B18424353291BAF862E6F7148F5CA8AEDD261E1D312063077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:34.139{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4754114D2B35C6DB34A9DE02C4B9FD,SHA256=7A953C4F5924D7CFD7F17F34B6DEDEF2FCE25E199F6C54F4AADF65B9DCBC5452,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.747{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.744{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.743{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.743{30B46F62-5AC7-6352-6D03-000000008B02}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000289978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.409{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228615DBD0A81DE3DEFD89508D56A033,SHA256=D59A5F03421F3248D83B8DD0059B164FEB536D0FAF8E1BF35EC496053F6EB844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:35.230{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5E9CBA8274BC2A40C5A9FBF254EA86,SHA256=CA6BB25021063EB0B6BCAFE2955CAEA2EBC825B60E9431F744A371F29212AC4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.346{30B46F62-5AC7-6352-6C03-000000008B02}41924776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000289971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000289970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000289969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.146{30B46F62-5AC7-6352-6C03-000000008B02}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:36.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03773FF60068C614DD66241D4725A01A,SHA256=0D3B76A8ECCEC8B8F2D0E8A8EB8BB3A0CA4BCDB84B1C76CEFB285DE1E5FD63DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:36.865{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE03426A2F5716A45C5F1B7D60B7231,SHA256=72AA2BC477092CE8F079B179DF05F3E3BB075A64A9211BC71A3ABCD140B033F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:36.479{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F15E6D5064D968C68513355CFE7F4,SHA256=EA5DF6B177CD6664553E91CE1082C3D02F5548A15A5E820B8015159982D38E48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:33.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50612-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:37.407{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B79E06FF75C7332ED37B7160C3F7F59,SHA256=7C6581A05D4FFB72924A6CDC923C77F59E194E0EEA21B723AB7378D5E0DB0398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:37.513{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE75E32545E94EB7A4483F91A7F727D,SHA256=5A2B1FBC264D755DA52070E5AB123D649EABD02CDE2D935F10FB9B05B4ED0788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:38.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6FAA1E032B74844751611938BF862F,SHA256=22C220FFA6C2F8BCB949A01635DC4952EDB2CC49B0BABF662D073ACF6BECC424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:38.550{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B524DF956B2DC5818A4F6D770D4F6E,SHA256=F1E966BF9B5D0D9B4C1E38E3198969FE103247D317EECD2D54C8FB530B71D382,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:35.480{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57135-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:39.575{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FE9CD0280BCD37F543A671C8DCF686,SHA256=C2DF13E546BB6A1BB121248B2ADBD653D205DC15882B46EBF756A21A91BD2CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:39.601{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CADF9CC5CAE2232EECA030E3751053,SHA256=1E1BDCE4809F0A71E9C990608AF7DAB64A5C921FEE42654BF846C482541676B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:40.674{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68A51B90803EB5BA98563F046878344,SHA256=3C310A5880FF564B553162E5803528CB26038439ADC968FC1EADFC02B70AB7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:40.672{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4F23E654D5681AFBF305630725F359,SHA256=F9C1CAB0A46742D821790DC687C6C636732FBBC98A79F9B07A067DB569F663ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:41.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2B1589FAD4E5CE862B602EF505B5E6,SHA256=375AFE2887C991B778BC0846E25B8F1DAC5BC96C7D4E631388FB8F4905B86A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:41.721{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECBD782ED18DAA72BFA3E6613D1564F,SHA256=E3D20EEC5281785DF1678C9E91D94F67ADFBBDE57EE805675B512E4CB320C355,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:39.405{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50613-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:42.865{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CFEA7C09D2D9E2AE415B84597F6705,SHA256=B946D1997E5560528BF87C04A9D597876FF530A4209C07325B817F9EF6E91E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000289996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:42.777{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2F8F731317EA990CE26F9B4BFE371D,SHA256=2B69412A29F2640A74190AB9E10CFD7D2AB3AF9B42D8B2216D7449B484CE9AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000289995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:40.492{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57136-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:43.957{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D14FEC679E0B3EED30893B8F3BDE2C,SHA256=D42E531D0CA51A4C0AEF84CE3C358FF487BCD21CA2083B91C4011B301F1A1B75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.996{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.987{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.971{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.953{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.944{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.918{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.905{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.897{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.888{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.878{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000289999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.828{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000289998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA505D95A8548A58D08E9319BFB2C98A,SHA256=D6CFA28B806CA8F3B4994C38002D7C988F7581BECF3C415D09557F71A630C02B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000289997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:43.824{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC20E6D669991D330DAD2A1522178DC0,SHA256=71922CBE183900DD528ADDE980F1FB6D035F67F94EF99A3F110E64C4C66EABBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.665{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.656{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.074{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.068{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.066{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.016{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.013{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.009{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:44.007{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:45.882{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833143707032A2AD1BB6474AF4EB34B,SHA256=BEC0B2798A52BB277603571CCAE07186B80E96B5C106943C4A0E0AF6CFCDBD9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.702{EFF5EEA8-5AD1-6352-B802-000000008C02}3632612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EB0D69D2FA9C0C14A45571398EC980E6,SHA256=C24C5F87EFA667939E0A020852B8CF073D3B4555A5ED745FFADEE72A1469DED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.499{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.500{EFF5EEA8-5AD1-6352-B802-000000008C02}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:45.045{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10589908C2F3E283E014C5F56C31D502,SHA256=EE6D64E0D7AB074DAC244AE5CCB06DB8F247B0F7974889F864A32251ECE65870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.800{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.801{EFF5EEA8-5AD2-6352-BA02-000000008C02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.667{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96FC0DC7D44825EFA89E71A1051C187,SHA256=3DB1BBD45D24C42C5AD0512512B7512C4AEBC9C7DEC81A87DCD9EACF3C6D3450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:44.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50614-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.391{EFF5EEA8-5AD2-6352-B902-000000008C02}36361788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.173{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.172{EFF5EEA8-5AD2-6352-B902-000000008C02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:46.125{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28B8D686BEDD9DFE08D8A3FD0EE6F7F,SHA256=9F7552DCBA0F396F3EAE9CCBFF72A30E63D6805E208B51AA6984F612231AE0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.945{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B106EC6EB6C86D1767B6ADD0619F47,SHA256=9AA4654E22BFE1E5A6B95FB18DD46FE32868580DABCF26854DF182D0B3EE2178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.700{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.699{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:46.698{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000199571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.632{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.431{EFF5EEA8-5AD3-6352-BB02-000000008C02}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:47.429{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2B970916A881E308E32399797E1005,SHA256=7B52B915D1C43D27FE3B850F90AECC0A5E9707A6DC2F2E9EE3A577EF86734921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:45.537{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57137-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.422{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB000B0211F486496962B938731E6C7,SHA256=0BE0DD9563D1F46C4ED6CDD5387E6A402DA020AA3B28CAABB810DE2EEA07A8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.406{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.405{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.403{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.385{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.383{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.380{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.377{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.375{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.370{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.369{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.367{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.362{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.359{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.354{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.339{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.316{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.304{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.300{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.297{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.284{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.272{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.246{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.241{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.232{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.227{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.224{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.221{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.219{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.218{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.216{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:47.215{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000199599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.850{EFF5EEA8-5AD4-6352-BD02-000000008C02}33923584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.685{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.683{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.682{EFF5EEA8-5AD4-6352-BD02-000000008C02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.681{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFFCF5C80B52E92A06047A5E309000F,SHA256=76F7582C603E24A5CCE4AA16A7466F27776BFD98A705DF0BF9949A0724E1067E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:48.015{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA1529A21FD15C1D51B0F603559322,SHA256=BF570112035F7C93A0AC10555CC73E00E6EC42526B8A032255723D5FCE58CD19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.048{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:48.049{EFF5EEA8-5AD4-6352-BC02-000000008C02}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.829{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060E1DEC15F7AD1D7B50A3F41411DABD,SHA256=DF5B9098D5327C1282FFDF6FF05E7E59303C10B70F1A9D90F952613C8917F9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.713{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B5D646B2B4850D5C502FB90FC858EA50,SHA256=235252930BEBE481C94EC5C0BDE96CEC51D4A5BD50A5A5A111281806E9BE78D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:49.086{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA18E374B1B1656A2A56BD89C947FFE3,SHA256=EEF697215CADC0785310F82D1E589415AEB4EFC6EE2862AEC06C27401F48E583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.226{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.227{EFF5EEA8-5AD5-6352-BE02-000000008C02}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:50.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E73B9AFDB23A95C0A8EEE935C7F868,SHA256=8836DCB351928296C3BD72A16CD599561C8F21A1943487DEBF76F24FDCE96E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:50.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255EB651B08F374C5C73FFEA649D8557,SHA256=22BC7639BA9F433D26AB4ABEE5F9E8CAFFC7CB81B1019D29FD114B112F2D3B26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000199637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.900{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD7478351FB4FFE657AE563545F832C,SHA256=9EEA588A82203B8A4A4EB08874A0DBB6F359FE1EEFE6DE8F99103B3D1059BF1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.865{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000290096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:51.248{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B40D1637A30ED316821B0A69D424B61,SHA256=50B24D1FE941E54623D206742B031CDC08595C074D0EA692838D1B1E134F6442,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.797{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.793{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.779{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.772{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.765{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000199617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:51.759{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 354300x8000000000000000199616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:49.535{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50615-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:52.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76033B2A1646A3111206DF167E6469DD,SHA256=C1AC48B10B0E20C04E65675470D8CB7C6D553DB7CE302BBAB6A7D4CC6F97C55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:52.349{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B887ADCC1778CE3BF794373A90F2F80B,SHA256=CC17326C179AE1FFD4278FCC655580A9137F366C8BEEC39B56AFD05E257270CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:53.989{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE47E30DE15730A9AD983D0D4E99650E,SHA256=4C2E4E60F88A0C9F8920D6662C3EA206620B334604D43E2E51752F17A040D6A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:51.459{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57138-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:53.426{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3893BD9729DBD0BE73978E398E93B63,SHA256=9D6232F47BC85D2433594C2E79EDDFD3405E2B0C73A6C381D3B30477CB57DA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:54.507{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89456026781FD7E1FE8A0FEA7C1B496,SHA256=52D29F92201622F156D3C2486A67D385A42D2D79876F26C4635C7D98E88E4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:55.572{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0BA724D9960E5D498A40254AADD23F,SHA256=6C4D36F539F444EF0C1D6D87FECCD1188A4340CA46E7505AB3469F8297B3678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:55.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82237A4A37011B356761EC28A6856D8B,SHA256=EDA206D716905223C61B89E8CA93BEFEC823A31CC45859320D4B7CB0FCCBB745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:56.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D21DC65555627CA00C02EFA5698C89B,SHA256=65E874FD9D02B75C4DCBD91CFF9084C745665521DECFCD2116D4910B2B4AD196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:56.168{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20ED81BF8534E964992C7A950E254B78,SHA256=74C6FF696C8D85107DFE877270EE456468A49049EACB15CC94F386BFB61B26A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:57.760{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED12F155CD2A246E786355E829B2104D,SHA256=E21EAF749C2DB235A69270F15CD5283649B0AC9D9222A5829847ACCAFB2F1F55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:55.383{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50616-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:57.263{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AF5AB3632571EA77C5C63436C10BA9,SHA256=FD09EFF7B18A14DA023772A1F91AA6F63AADCDBEAAA93509A484525C9DD903CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:58.830{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56F85A6BD3D128864E53D127C985DC2,SHA256=9A0AA15A1DD7EF42E3041CF91565A657A29F3FD1A98EC896FA784EDB3B4DB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:58.364{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70569A4272754FB3BC14715F0F2BE95D,SHA256=554CC59B0AC3338845CB6625F24D98B82427AA03455A49F31D542C4444393866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:59.901{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5DD98C80A590C64ED5A9DB02489535,SHA256=EE3705AD101284582C2EFC80BB1C20E30B9C1C022DFE77CB283FA1AD63428AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:39:59.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6574D41DB32B2DD78FB8C7B66934786B,SHA256=C03E91EFEC6765D3F429E0D7E60E77365219CA76A441B8297C0C936002294780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:39:57.417{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57139-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:00.964{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4325F024E6000BD2BE2C98721F3AC6,SHA256=73572E88CDA53C7A892F5B730C2CAC6BC8691F83F3024AFD1F927B5FD3C27CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:00.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F54341D77AE86947F5EA6EF2E27D03,SHA256=1EFDE9972044871ED286217AAC28788972A55E52E3B1C9D9078875F994AA6D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:01.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B5CAF529C7083034AB382E9DCAA255,SHA256=0F10801972FF477764E4AF7E8C58E2AD71195DC24B606015C82B75BA56DFF498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:01.689{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=160C7C3981A2D1C7FC7C16A358352BD1,SHA256=D9462CA47E0BFC50846C675EE0A719AFA92BACB5A5FDE74B629A441D7AA973DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:02.737{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE1A22F1B57C562BE54D13FFDB99D99,SHA256=CA872D992506525D07DA95585C20E71C7D904A31371304FB359A3F6DE01B51C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:02.009{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776D4255860308E9354A4A44C0BD654,SHA256=67A69AA779FAFEEB1D3E89D10F4B0FAFBD84B0A659B93F741A28C8126DC2A264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:03.835{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FC682BC9C415C4BDBC5586B59F260A,SHA256=AB3C1850C1957F407D599482B2C3E3AE499437A0861D71F76A8031E3F80F8633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.992{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.967{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0C22F219713CFDDC6C32C83D02546858,SHA256=CC25869174ADB795759BE67E3CAB8C45865C0ACB06A17206078E76DA479DED8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.935{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.920{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.912{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.898{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.881{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.829{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.825{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:03.056{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA0052740DAA94C9FDF6545E6FCDC30,SHA256=BC8566B6A0F0D1C2C2CFAEC459E4BF05A0C1F08602E6FB6A9EB3FC803D0C35A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:03.665{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-076MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:00.498{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50617-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.939{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600A8F20FD5F3D24E7CE8CA4EFA43FC9,SHA256=DDFCF915154E879989E058D81E106C0AE778A3A05875E29C08B4CDA4F7B1E7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:02.466{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57140-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.724{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.717{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.131{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FDE9519DBA6EBCEADADD81763B364A,SHA256=2B69E485891E7013035B64FF9DB9E554F17A5F793CD588991CFF78BCFA3155CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.109{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.101{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.084{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.072{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.061{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.057{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.845{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7795FCF07155B1E22E3854795C1574A,SHA256=8A1EF3EB2FD17462D4DE38EF4E5164539B20ABF92DDE66480A51B84857EC3B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:04.673{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.046{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.031{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:04.005{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:05.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9521FDBD8781A74FA35C42503C337735,SHA256=13D242EB516809A632F306273F4D36C60916F980280E3CFF1CEF4C64C5A8511D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.764{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.763{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.761{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:06.229{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B1AFB0B3F0345FC9C9BD95D7DDF9D95,SHA256=4B480BCB03E37CFBFC537A726C25A348FA3A2B868DF217F9A085630D13249179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:06.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2DED1FCBE22F52C1BCB7929C7CFC32,SHA256=95E9139D5FAD37262BB2C5D00899DE96388DCC8EA875E4593F4A124C6C3766A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:07.111{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49732A14741700DE2F64C32D23E9A3D,SHA256=AB0480AE1A2EFB137EAE6072B2509DA7DFEE74C8A0793563D38453125BD647AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.545{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.545{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.541{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.513{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.508{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.504{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.498{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.494{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.485{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.484{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.480{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.477{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.471{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.465{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.449{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.407{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.392{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.390{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.387{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.363{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.349{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.312{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.306{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.297{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.290{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.289{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.286{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.282{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.282{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.280{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBD8C8FFA6CDF0102D90F3A1E36837D,SHA256=29104CFCEA471F2A600579373F63283E24931FDE041AE77BD6E6B8D437F1EC2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.279{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.278{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000199666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:08.211{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8AABBAA0EC5E34A4E0F5976D36C0B1,SHA256=D6B4CB5270DD1FA93F2322E15E375635A989E250FDCDAA3137419A42CDF4E9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:08.353{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282D9498B947145D7A1EF3FBD85229B1,SHA256=EB02603ED45F633B883BA395AC89C13D2CE9CCF20DD7E88E6048D0C49FB4B2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:09.296{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4422F276A5F4AE59E24CB3FF5CA7CD87,SHA256=DB1FA88CD8794090EC0C64BE157FCE275526EFBD10537DF08893355D6111BF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:07.541{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57141-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:09.386{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FEA1FB58F2ABB224B25CA8A43EEFA2,SHA256=D0FF4D9A1FAE0081B27047FB0F123FDADE0939B4BF35AA7D6D867EC6F6DCEB91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:06.485{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50618-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:10.382{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA2177E71259C38675E6050F8622898,SHA256=2823AC52FA546892AB5C0100FF2E247AE4E0694DD1B1E6147B1D99B4F2759BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:10.471{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C940E438F38B2D7EF40A87543BA9ABE,SHA256=2FE8EFC6FA09CCA2EA7EC0FA69525803AA7B7A775A0D19BEABD62E2CAF1947EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.880{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.872{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.853{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.846{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.828{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.807{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.787{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000199671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000199670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:11.468{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D2C137296579D5F8967736A4DF57ED,SHA256=929360162160C8526B1A33908CEF5850C097B3EF1E645D39C0DD71717EBAA9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:11.573{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D680EEDA809F8AAA620D11582644774F,SHA256=3D94A66C1C7E24F0931D21841B7EC25D03FBA1B8B5C8E515F78D13ECAFC4BFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:12.993{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062EDE4967A3DBD9E09EC7A11C546D26,SHA256=511C37FBFA8E554AC5942737947744A3F21F31F5DDD23FC93AB2B0B99EB1A0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:12.659{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF5E7DC9C9866582CADC8B3924AF76E,SHA256=6726D808ED7C619EE3152E4196B00BF8FF55FBFBE600218C5FBB77024D2D3E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:13.730{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECA495490B68FB61034C46218E563BF,SHA256=FF853D1A3B9ED4C0015EE635E6F385C61F65A1C8FBD8519961C161705F0A98F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:14.777{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE15E6EADEA8EAE8E5F54742DE0E47,SHA256=C9598BA6CBF6AFF1552A75DA32FD1865BB8E78951A257D335AF4A292B2999A25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.369{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:14.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DD2FF77AD92DF83CCE9F18A1FB3341,SHA256=C4491C5216D3305653F7A9AB62533215ED8713158258F82DEAC2DC5E1422612C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.933{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4899e0.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:13.602{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57142-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.833{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24024B8CD6D9B61BE3914183FA46657,SHA256=296F45A5EC3D2E90BA459845505FFA78A0E5BA2084F788616B0328AC8F6859B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:12.459{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50619-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:15.189{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7136012738FC7086A855CEA3D4EF9CC6,SHA256=45420B60A1BB8F571B46D2FDE7800E2F3CD62B4C3E2E4D4DFCF3AD9E89A48A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:15.696{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-076MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:16.898{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF581F3605EF747C3B94220D66C7F0C,SHA256=77FD53C240332E55BCF582134A0F275193F11E26C7A0352372EF4A16229155C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:16.285{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16700D66920A02D654F19B5B015256C4,SHA256=2F7F4F25C96439A78F4EFCE011A73AEB4A2D908CD92650C95711C1C32A3A7290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:16.697{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-077MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:17.991{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFB99D55EAF1091023ECE5AC2EA4E66,SHA256=2CDEC4E89820AA651A813A07E010D16B8F924861E77189D158C2CD3EBFFEF6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:17.381{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012C605DA0BF9297C940FA88CF526016,SHA256=B3E476E29952A10E6E0A1EB48CBEB2159CCC82A0AAB0C96E6E703B9A1B3FA54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:18.472{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EB699756639D25BA8C6D7EAD13470A,SHA256=5487A69AD8B79CA4CE2FCAAC254C2C9E1001568F77BAE82DA1FAF7B944AD1C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:19.879{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4FBC9174362A6DA56D5ACE6839BC0560,SHA256=0B02786142602133CF69EDDF26C6D8D1DDC20CB52C013D72CF9B7D24186FB930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:19.583{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575B368856FBB36ABECEED26E4794914,SHA256=9BC5900AF93F9E8A1537BAFB3C179DC566BAD4C2624B84489EC48FBA527DCCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:19.018{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1C381BFB58E04DF714E5E70A52A381,SHA256=566C49560B805F101C8BCC83E89A9670852D510753C83B39249DDB9C038770B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:20.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F50C87D3BCB7F75BEEF861553B3BB4,SHA256=1996619558F3795CDEEEE0E46007DF1BB23B560FAAF3723E70AEFE4EE7ABEA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:20.083{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7FEAD6BDD7160A2B0599CAED118A0,SHA256=805881AC3BCD35091B6C6C6A00319BDF35286988EA676976DD088E419F96F954,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:18.425{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50620-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:21.758{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1D2D625B7A96175DEAA25B1E2972D7,SHA256=8577F94714B9C6D7BCCDFEE3863FE05BEB1284A2675C1E1713980939BC99B8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:19.559{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57143-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:21.140{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D9401DDA792906B025FB3AF8F6FBB1,SHA256=3610B276597156CEF611CC60E856E6AC8658242E52F2A59CF5BAFA53EF6E4E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:22.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E9BEFF58DADB6A15EC1221FF6C18E6,SHA256=97FAF2D05D582538BFF320DFB2FE572591087F69192D4AFA83400DD4361BE9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:22.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E743E98144337AF8F52372FE3E7861,SHA256=AE58FA118AA47F76D3AD7EB6761947D5924807B3D61BA4690F7C5507DB829AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:23.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9E88A7A44F1EB928C679DC261039A1,SHA256=19801B81469435BA8FD800516BB074E81179520605BDEAA561257BF4657B0879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.985{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.976{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.969{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.948{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.938{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.932{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.922{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.915{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.855{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.848{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:23.302{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A0DD9966D65096BB5A581642B7F9F9,SHA256=E54545B5DA637D73055864D2DB6F9601009B48F3AB9EF497CABD62121CEB9F25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.448{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.445{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.347{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465DE024C0020A30C4C970CAB3D8D157,SHA256=7A172D8503659D524CECB6EDF1EBCF0BA3925532CC843377026BC41BE4E8DC19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.057{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.044{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.041{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.034{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.027{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.022{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.018{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.016{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.014{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.008{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:24.004{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:25.474{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6127F2F6D30ABC98197F8BBB0C6D513,SHA256=9987C411DA7EE491FD27984B450A4BDF8FFEE019A9602E65910287F6BC95C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:25.030{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634DC04D59BA72FCE5ED27CEBE6789FE,SHA256=BB120171B0592BFD7620C2122EE470A4F56D1D8D69A5E944FC3CE799921A66AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.995{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.994{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.992{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.991{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000290228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.524{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF834FAC5388E34A81A805E6DE5A6F5,SHA256=B543AAE96B2B9032074E25AAE1A8F9E68AD7FBB03A1A3A80C6D0115EF5943532,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:24.341{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50621-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:26.122{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE101618A2112A2EDE0F2472EE374B,SHA256=578C2669046F1FB8B1A85003ADAF886F501BA13C8BF6D26DFA78734D05CE4FE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.477{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.476{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.474{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:26.309{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.946{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5006DBCA1952E68BD481A17B7E5592FE,SHA256=8A77976635A7959CBB2191C12B722CFE467DD6487F21CD313D09C3BB1C090556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000290261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.691{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF48c7d6.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:27.217{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741D2E6739711E211D0EBB7197235826,SHA256=2729F5D716A99EE53F087923AF0200E51041CD554FA576A6BC32BC45F966892E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.181{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.180{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.178{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.162{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.159{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.157{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.154{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.151{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.147{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.146{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.143{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.136{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.133{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.131{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.122{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.101{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.094{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.090{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.063{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.036{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.013{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.002{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:27.000{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000290267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:25.565{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57144-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.747{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530ED2BC82928D2BEE89F5317D03F7CE,SHA256=C3EDAA43E0CB1CEF35F7AF9EC76C64A515C335AA26C337636E2AA105D4E394A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:28.318{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02D87D6568832DA1EF5511ABD806040,SHA256=B7843FC78FC58203FB82407A8AD7E85B6D1E246AF36985A86554DBEC79173D6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.677{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:28.677{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.763{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.403{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF4AAF849FA3D0B7750E487B67ECADD,SHA256=E80F7278FDC6ABC446E47A8AE561B384F68A320C8E057D61A640D0AEB53E9B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.930{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.809{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93951E68BB005CA4D6A448238442C1B,SHA256=82223B6448694E70221102E30EEAA7DDA02B395DA93468467CA6928C12930DB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.748{30B46F62-5AFD-6352-6E03-000000008B02}14681016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.578{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.579{30B46F62-5AFD-6352-6E03-000000008B02}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.864{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47A3761308386230FD42714AC5AD2C4,SHA256=9A2EACCE5EC5C84E03594BE31DAA6AF46905418B7E66AC3BA690632EEFB32288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.779{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.780{30B46F62-5AFE-6352-7003-000000008B02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:30.490{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E182F4F837A272A652DFCA894996E9C,SHA256=9C65F9752C0719A0E5CF91B573E80137F4CD665569DAA56657DFE1FC952B9552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B78867E6B98D3A184D4505F1BDB35794,SHA256=7F6A68796C5A061FFE1CF5C262ECF254F5235973113ED4AF47AAD2721E43D9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.213{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D235D0D643AD9483D9D47F0434CA5EC0,SHA256=08557D552DD584DC1CB579600E9ED01F1A0F2CDA4033969ADA67F4984B3EB9CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.184{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.182{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:30.181{30B46F62-5AFE-6352-6F03-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000290300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:29.252{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57145-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000290299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB943F05DFA1B6B622E89CDCFE92C07,SHA256=82C305180F8D32A69A0D94900747FCC9AD7F28E9E0D91A8F682D6363DAF20A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.871{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.807{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.779{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.772{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.754{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000199729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 354300x8000000000000000199728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.465{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50623-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000199727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:29.058{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50622-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000199726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:31.569{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC41E74CD4A0BC7FC032DF165FF02BB,SHA256=3C07FC54DDEABCFB9607585FA1A189BB22077CC9D4D8FF3FE7D2BF463CABCC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.150{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BADD34A3BFA27BB4197BE7D33D006D49,SHA256=E1F692A070B70DAE676146825F4ED992F38F0FFAD83BB26B715F9FACEFEFDB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:32.711{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D026D074C1DB693E63843972A95B3861,SHA256=93063F6711D921153E012A37F9B2E92D532A3DF0CB39972F7C20ADD21028F29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:32.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813B0420B00BB6D664954D96CD0F059C,SHA256=9C9835488162210DD583B0A36DF35551C2A44C6F4ED77246B24E3597566DA920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:33.988{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAACBDCA77BE9CC9EAC6D0713A9C3BB4,SHA256=03F869C8D93216916115A2F623DA306CC91F1CEC3FD13FF680D188AA8F62D5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.985{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E84500147BFAA05EEF9A7A38AC8DFC,SHA256=8B215F27F3B741419EBAB0C1FAECD9BDE42C4B8E50B9F6F4BE8EE25B194A044F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.701{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57147-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.701{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57147-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:31.535{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57146-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.484{30B46F62-5B01-6352-7103-000000008B02}69007912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.284{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:33.285{30B46F62-5B01-6352-7103-000000008B02}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE61073412347749B383B1149357900,SHA256=CE8D3B22FB9ECE8C77DD05BB78631FAD6939F125AB171B4620A0E693526E057E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.670{30B46F62-5B02-6352-7203-000000008B02}55285840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-4F4F-6352-D701-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:34.470{30B46F62-5B02-6352-7203-000000008B02}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.971{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7E4EF0B3F8FB8606DE566C10AF6B4B,SHA256=6CC5792061EC007637F25A442D25BE8C04798B2D2FC0B7F12059DBF5287CD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:35.090{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EA43A59EF5927752BEA1F3B2A34B52,SHA256=1945D95657563CE07E6FE26067250C716FCE45BC6600FE8C28062D0950B2D019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.749{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.750{30B46F62-5B03-6352-7403-000000008B02}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.349{30B46F62-5B03-6352-7303-000000008B02}47444716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.149{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:35.150{30B46F62-5B03-6352-7303-000000008B02}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:36.192{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C39398C97C22B415B6381ABF9D46FF7,SHA256=31F947B4B63366F006339AD1A902C5E5131E2B64C1F91ABDDAAF73514638E97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:36.850{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFC45A48E12C07D4A3C4D8C45F68AB6,SHA256=DEDA82CF0916C7B1EE9EEA17CCD99352B274C8C715280BD3C2E8806911475E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:35.361{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50624-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:37.383{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF4A36D7BE0344583931C559AA1162A,SHA256=16558FD63B5057773391DF32614A4A2D66E9E1F17BD0539BFBDBEE96E8C96E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:37.136{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CADEF9EE8551A39F88A70D203A7621,SHA256=720D999CCCFE3503439EA26571405228D8F4DDA34E6C262961F23804CC07A7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:38.484{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7096F038FEF81FC51C6564F2E6379DD,SHA256=530EC7FB2C79246FB6F3AB79DF82B14E0F7811FB8E554AAA7FFFBC4A1055CAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:38.221{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316CFEB9D9395B95F8759D9D7913F7F1,SHA256=3F77E56FECFA3A0A0C9B645985E644BACBF5E826DD6FCF8D17DA2384BC81AD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:39.586{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E86A8E880F606A6B0994083349EF0DD,SHA256=94BB9C35B2B12701FA4DF1C8050BC3235F3FB8D99F8F088ADF36C8962F42BF87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:37.394{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57148-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:39.292{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC795A3D98FDB75FD2F6D2A5B630A95,SHA256=7157436F0018ABBA304028B70DEAA2B51DAD612678033B7E5D8106D5B0F5378A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:40.678{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909966247EED34C54825CC4EFCE0B1F6,SHA256=07ED8D05EEC0F5DD520DABCD10C64206BAA379B9FD8536209E77B5C13010C587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:40.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFDF31CBABA5233E698B57036889D35,SHA256=3EF7F379192871AA252AB42E1D2166E6F813CB3AF145833A12E5FA5AA5769242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:41.764{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3DCC2A8AEB3250FC9AC21D8D3703C2,SHA256=C01E8C22632420806B6912E85D52BB3872604274BD990013CBD2AEC949271294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:41.525{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E3ADE3CB0A04D3C0124C3E839A442,SHA256=3E24020D39B5796A5FCC9375D2E64E8E9FF050C27ECD42DF7B059756072A6643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:42.884{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AAA31865C2BF41247130E4236F3880,SHA256=11A425DC5CD0DDC0E067C7A7F835D6F27D3B74B4655AD4850AED31D14925FB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:42.575{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FA5C0F29FBC31B103F0BD03560B777,SHA256=913FABB9755673C58F3A20543431388724B10CEA5359794B9E1D405846563CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:43.985{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C32E584AD75C89C9AAC636D312C03F,SHA256=B972BF129D3F75E779D18EFBBF0AF64A0DB34CB027465D294A7FA1388897DD90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.986{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.952{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.939{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.932{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.923{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.906{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.840{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:43.628{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FE966F9B3D0061C7C2D34590D37035,SHA256=7892661B9C74D7D9DAC8BF84469E632A76CBFF207803AF7003CEBB7C0648A8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:40.472{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50625-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.687{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F463E653AD67879A54E3B330799C58,SHA256=C1E65373DA262C8034A9E27A1FD5D884937B61525817522980A4A8676E3220B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.536{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.531{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.134{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.125{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.116{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.115{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.083{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.074{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.050{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:44.008{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:45.746{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C58F474B784C47F1E7F6BDFE55FE4A,SHA256=31255929376D4F9B8E9E6868EC289515EF685D3FB0DA3CB04821D0F9EAA0AA44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.667{EFF5EEA8-5B0D-6352-BF02-000000008C02}33123256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.495{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.496{EFF5EEA8-5B0D-6352-BF02-000000008C02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:45.073{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8869AEC3A18F16D49B9A8D334453E9,SHA256=5559B8C6CDCE8BEDB78D1D101349F2BD3F4460AD768DA1A2EF5F0CC15953673D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:42.401{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57149-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.831{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659890ADDAC99E51DF756220306986BA,SHA256=314A24A0AF4C358FA136F216FB16F15E8A9516999FB8F5A05832197F06EF642C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.934{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000199815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.839{EFF5EEA8-5B0E-6352-C102-000000008C02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB6902CB6766C058938E8AE782B6D74B,SHA256=4F73E5C6A46C2AF690F35D145D16AF00CAD238E22C3CF3BDBE9D7AFDDA201BC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.307{EFF5EEA8-5B0E-6352-C002-000000008C02}984288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0BF9D3A2C8B81ADF969B0CE0FBE02A,SHA256=92925AE600AF3C16ED1986B22AE81A7438D44DA6A181721D9399BF6B644E6331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.168{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.167{EFF5EEA8-5B0E-6352-C002-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.551{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.550{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:46.547{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.011{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E783450E894FD318794F8672C91EE07F,SHA256=F5C6413B0AC7B607AFA8C82504B6D02FEB1A662CF042686F054598BEE89507F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.415{EFF5EEA8-5B0F-6352-C202-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:47.411{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FDC3BB1E920228D70C2908A794E272,SHA256=FB0173EFBD2EE0C443141696CA20F0BB4E107AA89A3DF10F358231E8CD02D85C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.238{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.238{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.236{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.223{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.220{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.218{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.215{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.212{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.207{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.206{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.205{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.202{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.198{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.196{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.188{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.166{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.159{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.139{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.129{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.099{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.091{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.075{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.068{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.067{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.065{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:47.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000199865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:46.441{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50626-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000199864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.824{EFF5EEA8-5B10-6352-C402-000000008C02}9363952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.664{EFF5EEA8-5B10-6352-C402-000000008C02}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B784A94CD5C6CC86FDC3B86759F7E9,SHA256=7FA71AAEA991619427C422FA8B24005A864DBBD15098AE456B9DAF69C8C3567E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:48.403{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90819E1CDFB401F7B9C8BC2BE61BBAC,SHA256=F3230EED8646C6E2FBF69BB264FB5221C0A9D769692746C29175FE6BC5FAD5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.194{EFF5EEA8-5B10-6352-C302-000000008C02}33081524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.036{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:48.037{EFF5EEA8-5B10-6352-C302-000000008C02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C21D020A7D4636F9F28FA02499D68B,SHA256=5293E2BB82CCBED5AF4B0CDE582BD994B41B838ABAC7AFCA51385ADBA775EE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:49.484{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF372D59B3559A9A6CC791FEBE3ED6BD,SHA256=2DC956C9F68D7D02728AD5E780B2F0BAAC67544A71BA09A99C8398BE6BB49E44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000199868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000199867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.252{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000199866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:49.253{EFF5EEA8-5B11-6352-C502-000000008C02}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000199881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:50.994{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92B7D2A783C5242620DE4DEBEB6CB62,SHA256=91A67F8788F4FBD4E2EA69C1B2FF61720207EEC7A521EB2966EEC5E981D5F7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:50.537{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6D521D2D94841A221B2C19BCAF56D4,SHA256=75587A218068382FA5239FC32BCC63CF44AC41798837C92FAA7D125B0DCD3194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:50.005{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7294570BF72ABC280F2C9B4E6CD98A9C,SHA256=A6E2122D12B2A70D6981D9FC3435D49EB9C709C20D89263388706D245E723DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:51.607{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066C5B6580476DAD15F4F2BDF1BE4A0B,SHA256=797F41E6C2B0EA1E530315D885347EB13F0E863F622268FD91A743BE2ED30430,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.825{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.799{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.786{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.778{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.771{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:51.753{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 354300x8000000000000000290418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:48.427{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57150-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:52.670{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD7E51423F5A89B44C6FC5D3FFC0085,SHA256=666A52BB1F158A0EF9B2F529FAE2F2BFF60FCD60A785E8D9308537058F7769A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:52.210{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB052BA823B1091B4A1BEC01B430753,SHA256=8A81E8DF50CD6C41AB4E51269DEF49A774D547A5D24422A05913D0220ECF6FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:53.741{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518F39295E8987299666646226A5882B,SHA256=97E41FEF7F4464416665B5138D2F986310942C14D74CE9B7C0E2D53B220F6FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:53.294{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEB7499D6F173A997A419A5B947A51B,SHA256=BE90DC8DD8064E054647EB0148CCED5F28A2095BB642D5CA4C246343983B2949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:54.812{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3C66360A68CBA399F19AC861F517EA,SHA256=31F7A3C47C88D5B44BBCD5EE73357FC02FD67DFECF150328B4CFB373F2E427EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:52.396{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50627-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:54.386{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73079B2A37960C6C3AC83F256218C571,SHA256=678ACD8A78F598AF592006243AEA3913032058D592147168B4A0EFD21ED58F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:55.885{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D1FCF7C2F49A213F40ECC9014551E0,SHA256=A7FFD51003AF05ECB7D10379EBDE1622972BBCD407C0FC71A11127F75483E5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:55.485{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7239F2A8257C3A906303D1E87586FFA4,SHA256=7F102349E63FA590CFA7A6CFC726EAB5739490B50AA821D2709946B4E08E7B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:56.572{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DAFE071A63E048DF8D39C3F8C35F84,SHA256=FFEDDEBAB4BA9B46C865DF34D4EDB5A812609BF6D686B6D8CC0B0BB2CA153820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:57.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E56F3E69736BF6299E57D86ADC200C,SHA256=814A199CE8C450A722F2C1885BC9D9200362AED6A661E98624FE07A15EDB512A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:54.456{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57151-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:57.046{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41928D438BFD06B732B9BEA72C11A0D,SHA256=8628B0FA7628A71605761DAAA6C4989116F0DE93DD5B08759D0C546AF0D48BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:58.786{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23145D37A1C465B91F3644612F47EA59,SHA256=F1583D015E4397C8A7AC4374F1803F44056E5CD1F89A1FE4062E7A5201E96059,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000290429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:40:58.879 23542300x8000000000000000290428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000290427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.879{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:40:58.879 23542300x8000000000000000290426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:58.149{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E5574616562ECA1C2810661C64B089,SHA256=EE41E3BFE882FA1A3A8EF5E3415FD187D39DBE4F6C0C0BE635FE6DEC92B33F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:59.884{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEC7CEC5FFE7D206096867580820C80,SHA256=88143500DAEA6E06794853CFC4415F9A32BAC9303D1727264794C67805AF4DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:40:59.198{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF8AB755BCECB856DC5CBF2C230CE2F,SHA256=31E925193C75D013FCE8F6A1BF6BC644B6EDB971FA35D8CA47585946786E4DD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:00.984{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAE52104662F00822094799B13BA9F7,SHA256=131A570CB6AD76096DEBCB8DC0652A47AB0C1D3E381B378BB0DE36C27C184037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:00.236{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A9544E78026A384DC5CDD5E58BF774,SHA256=4F87B19B4FB075395F3587AFF0F2082B1CBCACE223674201EA9C3485D8FBE150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:40:57.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50628-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.404{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78F18A652E68FB6E46B044A90C9647D1,SHA256=A0296C06E5CDD053863DA6E13ED55E32D9768A7517CF2A86F6A93FF33943D1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400527DD7BE3A6A01B072EA10EA53DB6,SHA256=3F71D9BE9462A09A355C4FCD97F6D26E1CAA20419E91BC28D0A20ED58EBFA139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:01.002{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=7F989A5C879F22EBAB9A504A81C8ABF3,SHA256=C98995BD05FF2B3D5E43FF3596FFC49AE9486F713CF4F24F97C680B5A100B3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:02.085{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B175CDDCCE86D35430F49F172BABE5,SHA256=035701AE6BA6896857F8144A194234267480AF5475EE2390F65A3C7CE9D8E74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:02.388{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3E21C85F6DDFF7284D3E3E2FA1DA8B,SHA256=2610A5BDE4F26928207C8E440BA6EAEA4CC0253A59172D97C6A9DBA81FB8A079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:00.428{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57152-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:03.196{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE19A71A92909C9599705B3EF516EF96,SHA256=FAB677AB6DBF47A2B03DBE5EF58AFE96C7FD1E1F10B18A502CCE9A38603CDBE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.990{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.984{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.971{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.966{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=08CF443455BD2AE58B12955046DB68FD,SHA256=F6E81D84A03B9AB8F412C5307DC41EDD08100A85544AD250012B5019BC55B0F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.964{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.956{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.945{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.919{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.904{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.889{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.879{30B46F62-485E-6352-1000-000000008B02}3087704C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.878{30B46F62-485E-6352-1000-000000008B02}3087704C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.871{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.864{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.826{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.823{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:03.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D11E3C969365F973F3AC7A67A2CEFD,SHA256=4999C04D2D7A9BC6C145C383AECA9401B6D1A129B3B4F2052B125FD72579544A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:04.854{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=62E631BCBE8E4126C9045B3705A79D15,SHA256=35A3B23017E1F3510EC1B803223128E29A064B72DC34A14DD9F8190C263B47D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:04.285{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F680C8CF0411976CEABE0FD7732E1FE3,SHA256=4FC2A90CB2D59BFABF2EC950F3089D439A86EEB1AFE65B0D95F103261B188CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3C0AA18E1CE85D110DE6653AB81B46,SHA256=8C2D9EB2D97F9D73B9A139D6D6FF34B3C2B79CD8EAD29B562B6F8FDDF332F29A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.456{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.453{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.044{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.040{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.038{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.032{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.014{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.007{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.003{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:04.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.604{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E7ABC85B3D8135A235D720D3D0CDCF9,SHA256=D38909A03B51357A5FF4708C5718E0AF603D1A0C12A1F6ACB0681E0EB4385412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.369{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B3D52CC56F4A6D8A7FC02664913054,SHA256=F5863FD88B3069103181D0AA7338CBD85F525F8165872EF0F146020DEFBF078C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:05.566{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0640B9495D43B60D052A9C27B61824,SHA256=3228A3C4B0598FD5271962C1E464A57335F659A469D1B0072F6C19A294D29F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:05.185{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-077MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:03.361{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50629-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:06.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566BEC43F568B2B330D549A9EC5EBA9,SHA256=7A46C2A65B4A77E705EF118C5F9AF63D10D19113F79DE2429EF2D84CD3F7D763,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.998{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.997{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.634{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD91A655FC5B147BB4AC10B9A99D9EA,SHA256=15CC8444E3EA06E2B43E360475063C8FABEF5550DA941FBEB515EC6B5105E91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:06.188{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.483{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.482{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:06.480{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:07.557{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63A9B338D8CAB78D8366A9EAC350C89,SHA256=1F425100FFD823AE74763A54959E8A96790326CAA91E2E847E3C03D3A50FD2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:05.439{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57153-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.186{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.185{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.182{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.160{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.155{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.152{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.147{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.143{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.141{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.138{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.134{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.124{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.114{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.082{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.080{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.077{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.049{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.027{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.013{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.008{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.006{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.003{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.001{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:07.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000199933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:08.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8464EF9166AA7B3574C7BE81CD2137,SHA256=EF918F9C2160D20C93017B4DA19C7F703798761415C61E2D5DC1FC062ADE0FE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.698{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000290504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.014{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B71B7ED4C36CA3B0A112E4375F9D3BF,SHA256=F0B7E86C824796FB095D26F25AAADA498275E19472B44170A666D06BF4B73259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:09.741{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8CB0DE3BFAC39BA20028F39C19B3A3,SHA256=F06231E06B083F98BE6A67298961770B1AF2222E92D0E2BB9D9AE5A04A50766D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:09.818{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=274AEB17F1A44CCF27946B57721CF372,SHA256=4E549AE213AF8575ACF4C9354BC3CCA77E54589AD90D4E9BBC3857F7A975687E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:09.082{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB520D1CB46AD6202B561BBEB6D3B2C5,SHA256=85E50748E621A424B0FBDE40F3E52F43D57991386FAE9478F6B07C4D4DEFA738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:10.839{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929BA4702C32B1D46A5A4333307F92C3,SHA256=365756CA010083EE14F28B77A980F43EB5C47D06AC6D507691583A784E805C32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:08.458{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50630-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000290510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.043{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57154-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:08.042{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57154-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000290508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:10.122{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59A3AB799F724D74A431E77FBF55226,SHA256=1E9004A26A9CE208B01F348161C7B422526C3134E454AC2B1CE7B4FB67C8CB41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.912{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9142E6FD73F7C25959FA866BF9485FA1,SHA256=104D02BCFE6E0AB530E36C5EE29C664DC14F01AB94BDA425DF7C73CAAC136858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.847{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000290512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:11.370{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=505A5A4019290E546704E38364297354,SHA256=6452499D91AFDB68D1F9D4E8B7E91282651A44344B91F2B2513B5F3F206BA8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:11.185{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C827CBBBF64E370BE83BAC76A0ABA4,SHA256=927FC44CF3D0C281EF6B783F1D3CBBFC6F993233035AF133753371F265BFEAEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.809{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.787{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.780{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:11.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:12.880{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A69BC7E5CEC4ACB4353E3D99AC0E4CE,SHA256=B0F4F17F212B7CEA0FD351FAEADFEF5C5DE8A78325DB502B139C8B45453B4E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:12.202{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D4042D4B1BC8496948E091961BE3A6,SHA256=DD1CA2C3B175C1F4F80EB3E745D13E58CA9BE28845C1EE9CD583DC429A63BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:13.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05238CE95C5BD938F5DB949E8D67BD36,SHA256=2E4E261C4E0B1D360E8487ACDFBC229C5C9C9D0868DA39B0937D122AFF4FCB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:13.318{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B222F55853BC76C21823CF7019AE75,SHA256=A3F939342E1DF070170AEA18449875E30C39AA563DD79A8140337563763D9929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:10.583{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57155-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:14.442{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C623CDF20272861298C6CE7D0BD8F64,SHA256=BA3C6D4EE16F503B6396C330CD1018749DBCEB3EC86261567AFCBCE05D660FFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000199969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:15.489{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608A1EBD43E49FA14863C4E97A6388F8,SHA256=4DEF6F5AE242B9895B85F60C3A1CBF53A68F5703B782346676A04A4BAC8E57B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:15.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77D80986317A50896F96E9AEE5106C,SHA256=E68B30AAAC8CC3BD1E82E234444E8AA6B673FD092A17A29BFA7103B5C02BF3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC80B3C24F5AEE48696754C373941209,SHA256=7794A93D5FF7A860D09F81D601E2A52A38D2EACEAA0F8B2CBABA5AA2438979CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:13.488{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50631-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:16.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1F26F2EBF35A6F0199E11056C3C5B3,SHA256=F3CABD6D8F2A67DA41B734C61815A1CC032DBCE1094D577535ADAA34C45462F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.690{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2721CDA97E7FD22B35BF816C17A230,SHA256=520B420BD845648A57163A3440A4EA0BF3019D3938F30D8241F83C0E4E818764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:17.242{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC2F98985068DBBB1D09FE182FACE56,SHA256=FACAD64D51A5A69E61A6E83105F6A0A7D623EC8A3C0C769EF54FDDEA5DECFA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.211{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-077MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=50CC1677B446BE91DFCF246C1C970C79,SHA256=C8FAB02509FEA0BBAC7E06F1174959E72E50BF7456FCE6ACC2CBFFA8317020BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=14DA9999215888CABA59ACDA0E75D689,SHA256=23B2B9E3D1DAE57658CE6ECD208A7A64C64F80EE974843CB13CA459AF5BE9123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4E8A769132765D23D0EBAC59E3B79903,SHA256=CCBDC621194ACFFBB60F6725D5D00BF720B5406489834E8FEC3C593ED9168CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=F41898EC02BE9DC4989D325203DF90D2,SHA256=463E62030A53AC934511705945E0F9D92225C770AFB89FCA38BFCCBF9C893BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=F280EFF93833AB6651F6DFEC1A7BAF45,SHA256=42F3F1270B6B21F8F7976399E2CA8EFD0B69D50985FB41A64614BB3A3E67E9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CD3A469EFCD0D65893ABFE69D076CFEE,SHA256=CF920922CEC22C91B31A7E2417942A5E38DD2A26DCCAB613EEF78C2D729FB5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=7F2F8D8DAA51D08FE360ED8488D55785,SHA256=5FC80BD417BD4DBA8832FD25AA69BA4013A136ABBDA2D745EA00B0B408AF5062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=4FEABD410F1B44C8EA4588C7446D4B69,SHA256=1FBC5D48484F5BC007EBFA52C62F4C5A341A3A7F30D570ECB74E339C4EA0D80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=6C0DDFA4AEFE6586B8A70E9E9A109CCC,SHA256=A9CB5EBD95C2D42E45A2AFBB078C056DB73540DA54A8C18B50432EDA1708D10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=39A00A3E413D89533E22C82946A4A14D,SHA256=DA64F4F25BBD168287D1E580412CE400E1E22BF1557F3DB19F4854DD1AAEE7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.904{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=37BFB646DB8933D46F8D464EC12AD26B,SHA256=27CE000AAC32D51FC2471F36D2916A8EFA3E27F2BAAB733A320E6B619F181EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=A25936302C242A472DE7B2DB75F047DE,SHA256=5035DBBA6F06D818CB5D45DE297BB2FBB9987D4CCBA3EEF5E9E9A4E663160E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=26BDC8488FE803ACDCC9ED99FC4D41CD,SHA256=A5B0F5904B435B52A1B233BA06CFF2C35E06CC307D0E978A60016E10554C2A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=A327B128741EF8DF72F89C6BDE6C474E,SHA256=9E799BC1BA14E034760B7F1C45B8E09E9EF54759DF14DA0CDAE93A6C14D1E276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=06F39D542539522DD6A6A3892EC60429,SHA256=477E14A51C019FDAD15AC343675AD920B3E0929B6041CF3FAD506F5800E2C2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=2AA052B3155AA15A1B3FBF7646994DF7,SHA256=1B1922A3C859C691E372D28B32AB0573684B288D1DD71A6837FECE58B2B8D9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=A17FC303AAD48CAF4A5CD48A94F8C006,SHA256=8E008AC435AC6391311993417DF2E5D5E0F42E522D7BEBC9B54B7EFEAF0D9E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=FB3835C20D4A35F882CA3F0FEF00C536,SHA256=9A9E184A25A9FAAA95574D797FB6066022F030AB1F9EE57471C98FBA3409F6C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=E15B0CD7FAED0836D20539CD1D5E6488,SHA256=7506BFBBA096FD71F7FF868BA1B70CC618CA36D3215C4AD657493CADF070F54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=A50C75C159E273B0ABA7661DD1ADD173,SHA256=F1DE336AFE2520062F8E3226C4143C9CDCA34EF735922BC27DB58635BB2A7E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.888{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=13C5C1E4D58E3694584EC0A8BD75E70E,SHA256=B7CB2651FED74E639191F187A1B095063F9E4C25A412141311FC169E016D61E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.873{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CD3A469EFCD0D65893ABFE69D076CFEE,SHA256=CF920922CEC22C91B31A7E2417942A5E38DD2A26DCCAB613EEF78C2D729FB5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.858{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.788{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=5DC30E8FE041DB6DEB26EB7D22F93B4F,SHA256=81858EC1ED1E4FAF46BA7961C639E2121AFA1D2255E7FBA59B28D3F2061478C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.788{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.772{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=4E8A769132765D23D0EBAC59E3B79903,SHA256=CCBDC621194ACFFBB60F6725D5D00BF720B5406489834E8FEC3C593ED9168CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.772{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.758{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B05ADAE6D2FDABF54341F740A64372,SHA256=545EFD227F36965DBC17465107B945AA1C35A73DDA0C8B892FB890649DBEA635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.743{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=50CC1677B446BE91DFCF246C1C970C79,SHA256=C8FAB02509FEA0BBAC7E06F1174959E72E50BF7456FCE6ACC2CBFFA8317020BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:18.330{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9313074AFB57ADC2B1A7E77A02E99DF9,SHA256=911AB77CC34BF6A0E227AB941AD3D2CC0A15341A74FD26D53F31859FCA62C14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.679{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.380{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57157-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000290524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.095{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57156-false142.250.191.234-443https 354300x8000000000000000290523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.073{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50388- 354300x8000000000000000290522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:16.073{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50388-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 23542300x8000000000000000290521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:18.210{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-078MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.428{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026F7FADA2EA5C6BF8E4767D68D8CF4F,SHA256=97841DE68EDACA34B9DA75D319097D50C5F7A366AC7863921AEBB4D2845350D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.559{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=39E363F1E60C2429BA50F0DDF8E960FE,SHA256=62D7FBCC03A06527A57349D055FB1A36029AC5246F4A62FDF03B93112AF8F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=A0B396F1DDE60BA1D353CAB446FFD1F3,SHA256=889E28D4BB09F517E2D2D50327E9D19900CA3A23CDE4FD81D7E82B726AF9066D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=ABFF90A9C34FF495667A7BFB9DC790A0,SHA256=6A32B1715273C1A5472959DC55F1ABAF413A9213A4072AED9FBD9DAA39A4875B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=CF0A2BCCCE71FCE55CAABC54B9B92601,SHA256=8159527A9F7D56C7AD8154876B9E268AC9F5C2D0E8C98F71ACCAA8F7E1D7260F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=60C67F500A7B4BC576F73507EF426147,SHA256=083C83BA2B3EAE9B257D389D5F1CCD3974D679A99B9D85A37987ADE054F360B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=90F833BB4DA71BC55F77B4CD9D21C38F,SHA256=2B4933F58384497D9BD8E0067717A25F4D733356B43C471B0891F31484EC9CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=03789A3E2B579F33DC32D27804BA4D02,SHA256=DB2E80581361DF60E0A2B50B0593B209C4C3483BE5EDD04865841118F8AB0B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=863C344533E8C686C3C988DDFBDCDE5F,SHA256=0D1A965E25C8A27462A85E35C028226E673032324C8610878207619D22F3A2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=A4B619394319B31019DAA7901762B66C,SHA256=A2DBE40673D52C90B8F524738EC7439C74910A319154EA9868800F662135D097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=778D899EB7AB4A01A12BE0D714A9FD93,SHA256=CBFCAAF675E78565519E1E98B936789402518A3877054E3480342ACA743875AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.043{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.042{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=12D00371BD28B3CA9C1DD095354E85CA,SHA256=D25F66F037D19A39CAB6D6B1227BD31EC44E27D31874AD32AC041EA04E890EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.041{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=5DC30E8FE041DB6DEB26EB7D22F93B4F,SHA256=81858EC1ED1E4FAF46BA7961C639E2121AFA1D2255E7FBA59B28D3F2061478C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:19.040{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=27A6BBEB8626FD5A89B921A3469A3F47,SHA256=F991880A7EE8579CAA181D90F85A1B7D5B942152766BE4B2E88C8E64964F1F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.148{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=79E9A08035EFE96488EE7EC2D630754B,SHA256=83F53EAA9F81E8E4ADC6C44893146E773B226B37FDB96A6385E78B0E28785E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:20.515{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776DFDA388A8D6813B353EFDDB6BBC5,SHA256=E0498AA09E7BF89E0D6C12FFA265CF8D97CBF8EC336086E6C11C34BECDBC9904,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:17.568{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51250- 23542300x8000000000000000290575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:20.504{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC149A7083F7249AB196CD72AF69401B,SHA256=F1D11C20AF87443D9A1E1052A30F27B4B6F9A28AA3B5C25BB69AFAA5CE873120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:20.289{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D17C973495277FFF26EF9E7732603D4,SHA256=35325FB8574E7D188FF1AB1D404BED66D290A09B31E09FA5B430C38830FA8AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:19.420{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50632-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000199978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:21.599{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514320ACEBFA3D522E80AEC6C72D669,SHA256=E691B375C964413A9BD7FFE061D3523325D1D6641F11623CAE01B854C5ECC199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:21.338{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BA0674BF6D1E6C1332DFC56DE5EA75,SHA256=5E7348ADDEB114EF58D92CD2FF645609D28668E1F16F9616C07536277E159FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:22.696{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A595BFB2CB404521A025B8C4D271EB5F,SHA256=F666F29EF4E59BF540E0191B90DCE3E9AB9D194C92D04CAA6E9900A15E05B413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:22.461{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB60D47F581779B2E9F5348D6C1241,SHA256=4BD4DB59185E251C1AE55A36376FFEF996FAB8C7F40E257920BFBDED155B44A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:23.783{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9457A5A5ABCB51697E89E90C538864,SHA256=2D54F2EC4020E685D8D60ABAE71880011520758F063DEC20B6A18AB4E16989D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.999{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.993{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.988{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.968{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.957{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.948{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.921{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.909{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.897{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.884{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.875{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.833{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.828{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000290580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:21.605{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57158-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:23.475{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832D60F79A0062C54C007F33CB414EB4,SHA256=10FAF4213ED1308A304188025A987DE2545EDD0193C517A2EA165795465CD7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:24.866{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD7059EB637496A2B5363C4BFA77FFA,SHA256=16A4E3308CE587614B7D549CE6174ADEB5405F5E7D942463BF3BD484960D975C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.625{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FCB94E14617B7EC3F0400D36F07B38,SHA256=B198DB61C3E225D8DBA33844750464C29F26BA9309FDB604466D1373F81FB275,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.420{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.417{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.043{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.038{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.035{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.029{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.020{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.012{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.006{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.003{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:24.001{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000199983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:25.951{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94C1FC79C7592645EE94A46AED47B6,SHA256=DE30926CD1027DB4034BA36F5950FFDE59856F214DC0F03B689F1CC9B75DFA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:25.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8C54472CC1BC6EF3F34501835AF40B,SHA256=2628D6A855466DBCA0701FF0B023CF99FAE9DFD01DD8EC2D92F88FA3B1DBEB3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.998{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.991{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.984{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.975{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.972{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.970{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.969{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.966{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.966{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000290615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.825{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BCC67260971662F2DCE81033BC92C5,SHA256=A9B5A490D0E4BE7F24D094DC2D2C6BDFDB17AA06C7814FF409B66CA3FA3573BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000199984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:24.491{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50633-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.445{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.444{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.441{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.321{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:26.306{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000199985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:27.048{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D65C2AFB20EB80935EAC2822556DB33,SHA256=D0855FB8264EEACD92B61FACFD4D1DDE3AF7CA65C01827E6A1B4BD385E149FE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.138{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.137{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.135{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.112{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.109{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.107{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.104{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.100{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.093{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.093{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.091{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.088{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.085{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.083{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.076{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.058{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.052{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.050{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.047{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.032{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000290626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.023{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000199986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:28.141{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489A4AEB69EB6E6131A4CE974B097F70,SHA256=EF1E0738AAA364657899CA55FA7CAD26EE9395B9F1703727EB78884D87331B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:28.166{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0496A38B850C4461AC7294B8A5E1FAF3,SHA256=2DF01F5DA5AF85396F74B94F5AC9299CAA20014D725AF1BB842E0F0DE96058E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.788{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.228{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEA5A2A9B5D9FFC66CFDF8E907A2D7C,SHA256=9AA9809CBCE9F2FCCCD8B4E2992B879E5E2522D3251845AFC5AB2A4A207E8B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.947{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.795{30B46F62-5B39-6352-7503-000000008B02}28326432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.595{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.596{30B46F62-5B39-6352-7503-000000008B02}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000290650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:27.540{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57159-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.295{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C97205581417FB2FDBD15C56BC49,SHA256=87FCA0EBD2DA44D4A614BE7A78708A6B2716B47B7C6A6FCFB99DDBDBC0E004B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.280{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000199989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:30.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC42E8C2D237DD4456FFCF349316115,SHA256=4B3FE2D73B8A612C34069C8F885B8D628698B3E8D7C29B0BA140FB8057F01BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.928{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.929{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.612{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E7906528823500EB8FD9BB432C2EBB,SHA256=B94787A6F89A0D11D0FD9893FF4FBDA668D5479F35CE68FCC49C8D18E7E6604F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.311{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4442A90098078AA936382E244267151C,SHA256=7D732A8210D24CD2E571EE2D3DDCB2AFD9798515014F849A928D911AB64CA8EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.266{30B46F62-5B3A-6352-7603-000000008B02}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:30.113{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BBD6D76846117FF9F6F837C304192E6,SHA256=C9F4680598F2DCF2C8A90B768AE4545E6DF1EF913860E85E1F6179DADB06AA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.828{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.791{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.751{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000199991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.749{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000199990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:31.410{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360BC09F221F3AD73C8496BD9DE62217,SHA256=21AC060008C1938A090C9C65AFAAFC47BF455A7EE66203BDBB8B9BDDC0F8A8AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:29.287{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57160-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000290687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.597{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C47DCF94615DD0784D811DBECDCC75CD,SHA256=3A1172A83893698E44A470D8F47C2F0BDBE28EF4E65DE04AEA6557855BCD2D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.452{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC3EB991F908F329057685539818B04,SHA256=55E4A19942297758A1999CD5F98A9B71F892C9E65ECD24B14B2D4C85F3C5294F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000290680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.086{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B3A-6352-7703-000000008B02}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 354300x8000000000000000200022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:30.504{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:32.935{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14589DEC5A56A30D2D6AB22DFC105AD,SHA256=493425CA7506E2CFF0B320AD2DC6E186B7B95DA111135B240B8AB27AF1A20099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:32.568{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CDF229728EBDC05CB1D1F1935A516A,SHA256=8C61B0CF791FE9A0EA6498D09F18BAF47020BE4B997C20D899FABBB9DE429B11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:29.084{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50634-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000290701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.713{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57161-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:31.713{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57161-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000290699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.613{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B30034459F7F203EC6D28AC878A5B1,SHA256=55C1E569398F0C81B70FA305A9E3C75B8E2BD34FD8DB20188C3823597C39D2BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.467{30B46F62-5B3D-6352-7803-000000008B02}47485828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.297{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.298{30B46F62-5B3D-6352-7803-000000008B02}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.729{30B46F62-5B3E-6352-7903-000000008B02}76646724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.629{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566EB5DAA52A86A251ACF8E5D618F7B,SHA256=67FFAB1BE6763FB3E03EF7643A72086CE413C5937890269B4C63FB6AF0ABD2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:34.006{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE2502073371A2C27323AFE90DF8616,SHA256=93058D4A2E486D54DA51373DD5FDA9B0F6784EB08272F05AE009DD8917CA7F0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.482{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:34.483{30B46F62-5B3E-6352-7903-000000008B02}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000290729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.829{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.830{30B46F62-5B3F-6352-7B03-000000008B02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.682{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688E2636C1536D4EC7B31C8BF631085A,SHA256=5EF12106D16D63E48DBB5E02499C30E9D322704C126E901B4B704F956CEDC321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:35.096{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569A551EDEBFC2787C7BA7AA2362AEB8,SHA256=DCCFA6A9ED07C6C3230B1699EA79BB76C7E2DCFC2D6A1FB09C3F78B9B388332E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.313{30B46F62-5B3F-6352-7A03-000000008B02}52525572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.153{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.151{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000290713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.150{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000290712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:35.150{30B46F62-5B3F-6352-7A03-000000008B02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000290732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:36.946{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EEC122B81C2A003FC12CA52D19FE841,SHA256=8FC420A37CB845E3EF61256685660828D99E34DB3619D180B997E66D835E1BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:36.813{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DE0A2AF6E0CB81408502952E75C07E,SHA256=DB5636C2F0378B230A514F97760D759E8EE6C5C0060FD174B369867B63CE5821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:36.188{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538BFC0F47074DD001051D4280EF68AE,SHA256=782B570A4530B825D02AB830A3C401A195586F848FC365A794296E804CB06687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:33.524{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57162-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:37.947{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCFE118FCA76AF8D2233BA6BFF383B3,SHA256=1F93CD21ACE6046E3228BFF2CF849E5282579C42E16E3330BCADBE111940A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:37.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FEA36CFBC465BE55DA5A7164607180,SHA256=A6493DCF236334FF240D3D879BB0A4EF784A53BB3D823BFD1CFA59EE7E37FEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:38.360{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529D1BFE4AA1F6F6498D0FE1EB87A6D,SHA256=05AAC5CA1273712C0804C86B130CDCF95ED0EC30C0B148DB655C035EE5CC358C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:39.450{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C196DA95CCFEA9A718675BC3BC0DD68,SHA256=FFE75C3E9F9F7AFDF87B3FACD9D022375D2226696881222449E4E9FEDAFE7F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:39.098{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416DD29F90DFDA12579A2D5474B1F93F,SHA256=0ED18F71A3039E7004BE91215B192E4B978C8AC6E1101F473EF7E9ABD224EF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:36.496{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50636-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:40.548{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C8653E5B8E01B8DC928E23E30F0558,SHA256=A453E39BE7E407EB507A137A0A2427494A51D9138862FFB8B9753B01972DFCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:40.217{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C3FB686B255108C6F1AEC90A2CA47B,SHA256=00084DBA2766FCAEFD3F46FF262C28F8F6103279586DBF93101E5A1C15E2E650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:41.648{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E29A8CE65C2526EBE452AFD282FA3A,SHA256=FB7414D963660EC791AF8F78EF8690FA08B6E6BEAC46E647B8F77BBA4C7F47B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:39.514{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57163-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:41.233{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E48EF16FCBFCAFE94CBCF3472C1A3E2,SHA256=9E2DD9C215F6DB8C5F60502CCCC0CAAFF3BA7C5B94EA37FA0DF9189C4F247C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:42.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7BF5D4F4D21505B58540553D71861F,SHA256=AC7CC01EBA2B8E6AE75EC91462F25AACE354123C4F865BD7F2FFFFC6812A63F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:42.300{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7063A6589CF4E9EF33E61086C4E3BBB9,SHA256=80A78AE9BD9A8C1D200AEF7EF25524A8AF58C0B6FFABD85BC5BEC91420A29E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:43.849{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E5EAE4979B284A1C3668678ACB820F,SHA256=974EC462A93BEF193A14DA683542E17BEAB1665C73978C5D0C4DB47590CFA493,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.994{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.991{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.972{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.968{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.962{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.948{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.924{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.916{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.903{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.900{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000290746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.889{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.874{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.867{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.859{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.851{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.818{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000290740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.816{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000290739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:43.431{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D103BDE67E0A3F59E2299BC116D52BB9,SHA256=99D74FEE830F53E81DA45DE4EDE758A9CFAA21A63782C6BA8FCEE5CCF49E7899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:44.948{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44390A7C91D09B5E657EEF40E9E7AB43,SHA256=C7152DB569C9F324A954B2D21789528C413848E33B5C1C6FF516C513228B8E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.500{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979733AF17F3DAD3AB5B1DDA5546A099,SHA256=072623AB630DF913E5819A00E820F267BC35235C59337EA63620B69155ECD7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.385{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.381{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.007{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.002{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:44.000{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:45.616{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A897FA7807485B7ADB69BBCBF5BB69BF,SHA256=31066DBE00C096C8A88AFD721FE819C5096E3E3CF4929D81E9CCE8253EF1A11E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.689{EFF5EEA8-5B49-6352-C602-000000008C02}23761604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.517{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:45.518{EFF5EEA8-5B49-6352-C602-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000200035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:42.457{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.980{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.974{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.966{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.961{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.959{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.956{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.954{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.953{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.950{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.949{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.717{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C38B271F3C2C0FD675ADD1742D9EF82,SHA256=B5B870F39876B8217E5414D5FB4CC25458E137EAA9F0EC78C240D1F9DAB8D5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.720{EFF5EEA8-5B4A-6352-C802-000000008C02}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.673{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92D14BC71AE617247FB3D5377E35A7F,SHA256=3FC35AB9E1BADBB00A105E2308CCE9C1C704D881BA569A30254462F71C4CD985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.376{EFF5EEA8-5B4A-6352-C702-000000008C02}33041004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.190{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.191{EFF5EEA8-5B4A-6352-C702-000000008C02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:46.033{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D234826E711472EA548623E9DFCF0C7,SHA256=8AF98DB1FBCA2A179D0345A5C991CEE49BC071EDF447119BCFCFFE1548D9DC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.434{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.433{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:46.430{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000200107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.971{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.972{EFF5EEA8-5B4B-6352-CA02-000000008C02}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.502{EFF5EEA8-5B4B-6352-C902-000000008C02}36203588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.348{EFF5EEA8-5B4B-6352-C902-000000008C02}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DB7120D9858FD15F84D662D9D28B4A,SHA256=096B34100F214AE26E9062D17D7A141E876EFB57C131D10D6814D1B9797612FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.346{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=582A945DB27CE00FAF2AA0FB4E24B395,SHA256=5C03E853309D97BF4A407A8CD043D94AEAC76809C0514040B71977D039BACD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.159{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.158{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.155{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.116{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.113{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.110{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.106{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.100{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.099{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.097{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.091{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.085{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.051{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.041{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.038{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.036{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.013{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:47.002{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000200122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.580{EFF5EEA8-5B4C-6352-CB02-000000008C02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.576{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF51B71BA1CAFFE445CECC56941F9A9,SHA256=25F2ABC020AC101EC76114FECC67AAC789AA8B06AAA6B923B68A59B9CC637336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:45.417{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57164-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:48.050{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014DD4F00A5868FF37A280BC275AFB1E,SHA256=C4363428390043EF49628DEDD5618110DF04B610862D9E9D1CA8CE801A92FCDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:48.112{EFF5EEA8-5B4B-6352-CA02-000000008C02}34642000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.768{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA2375249B3189D0938F51C2962F345,SHA256=50227A7549E4364ED92A501873C5099BCBF66FFEE91214997BACB7C0BEF34A36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:47.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:49.105{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB4EA1C01767E8398926B98F3394612,SHA256=4B61CFB507965B9FEC500463BEECC1320895FD1BDD453870508A149A7F183734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.198{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.194{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.193{EFF5EEA8-5B4D-6352-CC02-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:49.097{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CB2273F045529D36C80E417F38CA361,SHA256=2F1F0A8FB0ABD2FFBDAF818F81C359A27FC3FEAA82F4A1D44B9659DAAEB5967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:50.754{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29BC2629D6366FEE70517C95B0AC1AE,SHA256=DC051514E745C559DBCBEAC3CCACA2738842FEE83BC0D416EC486B82787E495D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.138{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F996293F048C78548F1C5CA3AC2EB670,SHA256=3D2BF5BB4D2AF4767E8A078E1B4044FA6FC0BB6ACDD93BF13BA3BA9DF240D286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.983{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.979{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.976{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.973{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.972{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.970{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.969{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.937{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.924{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000200147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.844{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4078B567E884789C983E75F2B12A13,SHA256=A62D0D72579546E4A217FFD277F02D3FBCF625C069984D80CE86F6023F94AC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.799{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.790{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.780{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:51.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000290809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.407{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000290808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.309{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.294{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:51.256{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2666A33F2375351C642092E6067B6D8,SHA256=082CDA2270411B2D15B4E53456D09288A934B883BDFE677A977403602B7F677A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.758{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57168-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.757{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57168-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000290816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.656{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57167-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.656{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57167-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000290814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:52.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E6E988D5045980E45E1ED13411251A3,SHA256=80A7755E74E21F2A0DB0405F446F4B1BE9BAD6F9261535C588D73F4C0F5DC7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:52.378{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3507D15FA288621ED94666660E87260D,SHA256=03DCE851B8E91042EF371A82BAEEBD891D320B0F8F56FDA76D35085D726324B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.644{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57166-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.644{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57166-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:50.553{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57165-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:53.409{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2ADCA2FDC5C52ED2A94847849246EC,SHA256=B2354F4CF7493EA3419D5D583DD6F3B16369AAD374ACC9B161880E4F3D936064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:53.300{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04313C4F222D997A7FB535A347AEBE4,SHA256=88FEBA035EE6A1073B24DD09F273D56A0033082E5ED8BFCACDC174226108811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:54.509{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE38EEE9DA1F25D4E736FA3A7DFD98F,SHA256=3D3FDF9C8201331AEFA181D298D477EABC3BE7DBD8C81DBFB9D77E7D8BCCB101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:54.354{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5CB3B98E2596CAAF2D23BA07F408EE,SHA256=CA510E8E62B1803CEE92C25DBEE89989DB36011A34EE5813C5743A41EDF8ECC8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000290826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000290825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000290824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:41:55.965{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000290823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.959{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.958{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70755C6B7EC6EB3785F5B0D28C344E3F,SHA256=5BD25ED2CB5D3E0AB7E0D3BF0E3EF377C0703698A2357D5C5BFD4DA69AF7A924,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:53.440{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:55.437{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FA694D6BE7C1A79859ADDE29813BC5,SHA256=093ED6DA461E5A443C14D8E7D633A047FFA8D64E1958FAA07885EF72524207B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.811{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.664{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B92447013E4E46995ECF41D3A4A80C,SHA256=25DA0A9B98BFA5886CD2C8B944EDD63FA4FB0F52FD869DD1B0981B12B815C9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:56.530{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606150BB1184A1F0EB7A6527018F1A6B,SHA256=C8E90A67E29CEBDAD6E77167248A97D6E86D74AD27982ECF86DB0CBB3071EB64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.157{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57170-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.157{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57170-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.322{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local54699-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 23542300x8000000000000000290839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.911{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B031E81E7EFCF9364314B80C3947E68E,SHA256=EBE6F8D6DDDCC7CB149D5A27B83BEC725A71969D97528969BD1388133133B111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462C4B3BC666C044FEF64A3E5D343D06,SHA256=3319C5EA1CB9AD193FEC8745556A1E731AD78B309B3800BABF12EBD00BED5A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.811{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:57.622{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C617BC5E8DCA6723602D43B36B50B269,SHA256=FF51E31422CEABB75B7BC77DD9DDF6E09FE19FC1E8C6BE169C81196B13264509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.645{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.641{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:57.640{30B46F62-485C-6352-0B00-000000008B02}628792C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000290832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.306{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57169-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000290831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:55.306{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57169-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000200176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:58.716{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F18939DA3483AE88B141E2F268C4FD6,SHA256=ABFA6AEF6317B3A29F687D5AE3816E1EB8516A03620A7D24A01DBF36A1CF5320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.983{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57172-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.983{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57172-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000290844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:56.489{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57171-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.842{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCEBB385969942C3A3C80C5D28EE846,SHA256=3689C229673A308A47E71A099044F96B938AA12E301CF8BEEB538809B683B212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:59.803{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E68288341E9ABB7B61E3FE52B16A3B,SHA256=4B03F286F29C224878D3C6F8DD564F658ED7B87786FFC834C13B7E7F30A339ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:59.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999D49D39A816FE7BB0DEB94EADCAB00,SHA256=B9163B9591C096915C187DB6437BE05FEE270487B4EB4223CD58BB559A5DAB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:00.880{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C52DF9E0E18286A63A3DA9F6C5B453,SHA256=7C06C902D83776D140D5DB420E0208E4328F8257B801E2DD7F3C6B66D6753F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:00.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A334C5736D3BB9ECC253B442E858847C,SHA256=AE0EFD79F6D7D6D264AF8A54749FC24A95F20DE48F533652AA3D2172D3F6D7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:01.979{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F561CC7C872F9ED20645C668917DA0,SHA256=292DFA107B896428F7F051E9225D82D711A084F637CDBBA855B6120A258C712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:01.685{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4F77AC97E43573D2372E77A66C20F4A3,SHA256=678A12F3F545ED04BF8A4C78EFCE0B1985EDCDA389D84FAA5F4D2AAA12B0174A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000290856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.409{30B46F62-4D08-6352-6F01-000000008B02}2076prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000290855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.406{30B46F62-4D08-6352-6F01-000000008B02}2076prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000290854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.413{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57173-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000290853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.402{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50199- 354300x8000000000000000290852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.401{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-64619-false127.0.0.1-53domain 354300x8000000000000000290851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.373{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64619- 354300x8000000000000000290850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.373{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98e0:61e6:2cd:ffff-64619-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000290849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:41:58.349{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64619- 23542300x8000000000000000290858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:02.067{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFA2F519FC2575C416A83A25D3475C8,SHA256=51B47154865412B8C4355EA9202FC4D727FD6002081221DD8EFCC437DA363640,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:41:59.349{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:03.061{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1BABC3FB80DC771208FE3DC0513EA5,SHA256=6169DFA6C3CEE232E510214A5DE54C72AF2D428EC880BB5990E3A39278231547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.996{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.986{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.973{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.966{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=03769CECD2CC55A1102BE64FAE35BCF5,SHA256=BFD4F5D627DF8F7104D6BF16EC738E2B410928A645DA69A5F1ED543553DEB82E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.962{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.929{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.900{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.887{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.874{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.818{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.815{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.230{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=842977C5E2F22BABA5FE2A0A4388F8E9,SHA256=91E8FE007BE75F95295C259EDA28556F8B4D671EBB0B9F377475DF0842009475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:03.185{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA58DAB2E35CB09FD84B83448A67DD4C,SHA256=4FA89351D65C8287C68EAF800467119E057428FA0DBD5E0D1766A41544A09D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:04.858{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7BF6300686CE31E949BE5713BF6D478,SHA256=E510C66F167CD943A0CA3B944998D8D8F634B1D7D8620392D7167F009A2FAA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:04.145{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923DD9ED0426741DF2A543289A345079,SHA256=30E2044570AF7F67DBBF1658FAC3889947058D4EFD50E03317BFE4D0A985E2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.503{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.499{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.280{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1D3178CCCBDCDF7C0212A6864057FF,SHA256=DED111CD66C84276B5745BB39472452D4DF999A6AD02814228F7F2F2A874DA14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.081{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.074{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.062{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.046{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.039{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.035{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.031{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.029{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:04.014{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000200184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:05.233{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F031134C7031CA1A61FB8F0B29C66DDD,SHA256=E8A99D6338E7C197C2B7946ADE368E934142F66F0CFDD9E91C10D048AA48944E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:05.346{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD44759FE8FB5A50701CC58CCFEFA3DE,SHA256=CE54D0010F5B0BA261F1758AFD0F0D17048E9ADB41F3518609D24E3CD662A3CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:02.508{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57174-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:06.732{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-078MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:06.325{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A3F898ADF023C40E07E86864BC7236,SHA256=04EA37B6C2B946A91AE604AEFB8C3FC53671FCA75C6929659E23C9E8C19DB50F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.535{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.533{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.531{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:06.463{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BC2617B36BA55FECBEF10BCF54BD58,SHA256=9622CD53D399E26DE67C2652B696B9E18028894EFDCC72C6805736C396902601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.717{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7B706A85E49A8E309606E2FCBF62DD,SHA256=32F91CCE87AB14393747AA5B5307074A4B6365452BF6EC8D4DFF8AA07A40BD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:07.732{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:07.417{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136802C68C8E50474688D6AA371FDD55,SHA256=034908AC280CFCE8ED082261042BF022509285E87FF053951509E16B188F8D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:05.372{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000290925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:42:07.334{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e529-0x0090ece9) 10341000x8000000000000000290924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.212{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.198{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.196{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.194{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.192{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.188{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.183{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.182{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.180{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.175{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.171{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.169{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.136{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.128{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.127{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.124{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.108{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.100{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.076{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.070{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.063{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.058{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.057{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.055{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.052{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.051{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.049{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000290894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.048{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000290927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:08.833{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A8A2D4CAC4C923B802E93714563D3,SHA256=6632738A2309FD8F1C3D63C00E980ADBB1A5D8A9CFD42D0633ECEE6248B58D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:08.507{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0760F358E3CD747D7BDAE2D56AD9CE4C,SHA256=EBF1E4F6EA2983D0CB82D2727517323F37A876728D3885E713C14E00ECE09B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:09.596{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424836B07B338D0066D2DEF785A120B1,SHA256=0205C76C94C8A311A9CE1B4E5F77F46BEC27EA915C37D7714539374D96DDCA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:09.949{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD53CF96A3FF3BAFA1578BD4A19CE6E1,SHA256=AD61389D468F1E1F46818DDC3EE58106F943960B92CF6E6D4AC0D85603267CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:10.988{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A04CEF9C58AEE051A65A4C82A775C8,SHA256=4C964628FFFBDF8CE4E8882F148D407CE1A9742FD79A0141F1B565280799C79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:10.687{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FEE73576138E6C88D230198E9020B3,SHA256=DBD3AF3650FFB31538CB9832011C2FB6899C83F87A424B3A41F849ADCE00DEC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:07.564{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57175-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.989{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.984{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.980{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.970{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.954{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.872{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.860{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.817{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.810{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.799{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.790{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.781{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.772{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000200194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.772{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F001A34D2157D1EE92EF2F9FC29107,SHA256=29BE66758B257CDC34A95FA80C226A43F161318D3EF6E9B76033CAC01D714F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.769{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:12.007{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:12.002{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.999{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000290931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:12.019{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B23182E0B9F60120AA57B81B059D61,SHA256=0AB34A233FCB2E6C199A522D4E763FA52A9C2650507852348874985F8BA88746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:13.351{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3178CF5FB9A4939838C3C43E96A75BB1,SHA256=A209E0E76A8BC1BD7558BF5B9DDB6A7FDAFF910339A356505725DBF9D32C3B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:13.168{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33639BC77E21030296E1ED3C319AC90,SHA256=FD394ECC58852025A0CF7E59ACC5EA22FC9BD9F414769B55A9D1CA5658107690,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:11.367{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:14.418{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19F974BD876161CB8BE8B16CDF2339D,SHA256=B85CAC6CB41A47547DACE0EAF4F6BDABF64E6172D49E0DF414368870DD8A7D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:14.319{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1911EED6F5B0031E1A28963544F46381,SHA256=92255E1B9D0AF69F2A345F7DA5DF7F7EF1EF958C1BC163D2BD198149033E10A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:14.370{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:14.356{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:15.507{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052D99623968970EAB6BC04983D221F4,SHA256=3326B9BDA196D7A39703403340975B1C80841BCFECCE89526FFCE60A984C7D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:15.919{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4a6ea0.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:15.351{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E373D1A2DBF806C8D081D66A690092B3,SHA256=F3345486809E778C21634E825482F8156940BA22100A9E299C4CE49F6E922D4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:13.382{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57176-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:16.597{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D6B2F4C9C6C4DA9F94A90CE5321169,SHA256=668FD197EE65C8FFB52ACD8EF52E0FBA9608CBC293DFE3B2505BF7AF0D5F0A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:16.419{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2564ADF54D8FA1F6A21D2CC9DF33FE03,SHA256=15692016E14591DAFD4E4F4ADE8D8B5289E92205818E119928E659D8B0135AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:17.684{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30ECF12E42703DEB68DF12BC0D5B5044,SHA256=C8E3A8D35C653CF3627AC2F79C6FA9EA4441AB367E543A0E9FF5B2B4C18DA476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:17.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6D48F5165BC01EB169A12C73EC3CA2,SHA256=22B8A8CD72D3F45AC51A27395AE69C246D37249DFF6EEFD63F192A7151F72BCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:16.532{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:18.770{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF3F2E69720FEB9BDC04D391C279A00,SHA256=A0D4E1BA0DC680EDFE48A4D962EF8332E100AB1460CE3210F69BD2131400C379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:18.726{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-078MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:18.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36B3CF7AF2F24BF0D330C049B3BC723,SHA256=1A50F465B8BB0DB735B52288CCAC0891E377DD8332457189D0557FBE2BA1CC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:19.858{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F9A3465071424FDFF385EEBFBA5B0F,SHA256=C0445BB6E2E93D367CA1D4A3845D645D8954B400A163046FE721A3FBFC70A273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:19.725{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D73FFA45614624FC2A47D9E0B5C84DB,SHA256=7F5D5647C920D091D09DD053949F2E64A6560A97A045A6ADBE8472EA7603EEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:19.724{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-079MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:19.547{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=154BE12DFD124EC32D8BABDD02415EA7,SHA256=2219A5E7AFD51A3CA384BB64A09AC617A9376F1E9F5BA9002A90F42433994644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:20.953{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E860739233636B0E8B26039D60B12F,SHA256=0FBD027D38DABB31EDAC690903961103DAF5CF9BB0DACB17BBB70B3CD310458B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:20.775{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F9AC750ED38A4E1518F26E2F4966F2,SHA256=D8B61A3A870A2743EBD7ACEC0B3E73871823AC774CA4F450FC014BAFB0C36A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000290943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:18.555{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57177-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000290945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:21.873{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B08027D15AE1D69B28F0DA78F292B3A,SHA256=38C6053226F84E71152D7413A290B770BC4531CB0754C15D2721F7B280CADC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:22.929{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B40CE85AEB2B6028DDF48F1CFA39AF,SHA256=EC983CF9DE57317EC03504CC1C039F41D1DD659E13210C33F62E1885AC299DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:22.043{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7B9F7FEA21B5F92CF78440998C5021,SHA256=372594751D9BB691FE1325B6FC6B9E7741D530E495393E6CC075C011FE7CC01D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.991{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.983{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.983{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DF5C8E7AA75DF762DEF9D773C239B0,SHA256=BADEE0E67C226CB780BD8DC8D13079107060CB13ECA5CEA905B45487390BCC28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.971{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.960{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:23.119{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317F79ECE11FE9475414D0EA23E472C5,SHA256=1DAFC8373E8F556C4FDEFFFD5D5DFB0DB56CE000EC90C82D22313695F37B6AD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.886{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:23.880{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:24.210{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4369426E83CD8ADFC801343F2CD1771F,SHA256=0B5596854708D65ADC4EF6DC7B17E801AAB5B588F3FB3DABBC1E71CB60791285,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.639{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.635{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.156{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.150{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.146{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.134{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.132{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.124{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.117{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.114{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.112{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.109{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.102{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.096{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.077{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.068{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.056{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.044{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.003{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:25.295{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917C256D034FFC60AD3FFF057C60C6D1,SHA256=38ED612D737F8B797C3788CE570AB9F985C3A2123846DF6F934ED7D0E0B8BF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000290973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:25.047{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A188CFE43BE9247832081175E2D1538,SHA256=F8CEF48F6E326AE532AE8F85E0F7950E450A8477AEE8BC3E10E7A2E09D23C47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:22.479{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:26.385{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0C138FF9E129EB98786AA9EBB53C81,SHA256=09EA2BF3C9264621B0FE76FBC658A690B3C47496EFDFE03FF81F4B9B6F1352ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.668{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.667{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.665{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 354300x8000000000000000290979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:24.450{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000290978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.318{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.318{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.318{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000290975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.304{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000290974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:26.135{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588F52AA144DE5A60C7587771A787055,SHA256=10C944D2359BFA2BD59996B6C50C49B7F345C479C634D9962A06C38DE44C80BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:27.482{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7B71295B9D1FF2CE07ECFBD42483F5,SHA256=7DED6E1EE356F78D1548B2974E1857520C27D1D06DF5447B7092E9B1FA4A2258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.706{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000291017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.706{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.706{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4a9ca5.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.690{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=2D3CB916F84E11CCCD1EE403D28C2A03,SHA256=EA1F8FEE133B43AAB2B0B577F196767A756E940210962D86FF1C7654A0DE1EB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.350{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.349{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.347{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.332{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.328{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.325{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.321{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.318{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.314{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.313{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.311{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.308{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.305{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.303{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.295{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.274{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.266{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.263{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.260{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.245{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.235{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.210{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000290992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.210{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315E79299A7DA4277C0B80CFCB00903F,SHA256=3257551056D5A5BA45AA077FDF7C922A6750713597040173FF2A9E5F4CF3FC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000290991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.204{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.196{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.191{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.190{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.188{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.186{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.185{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.183{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000290983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:27.182{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:28.567{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC6CDB8AEC6442007A5C0AF95BBCE47,SHA256=90418E51502F907FA65D4BFE98790F2C22BF5C95385F881C44B2B3F888275CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:28.407{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA26325ED52816EA2BDC5753D30A052C,SHA256=0AC96867404E3497AC13C870F5F483FB16BCEC8EA9DC41088756F4EF7472F4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:29.816{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:29.659{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE764BD9CF2FEB9E9DE3D3B73B1A59B3,SHA256=989E67D573F9D29104D9B8D81C4A66C28CB9EF2FE4E0C51ACE80047EC2A6BA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.960{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.738{30B46F62-5B75-6352-7C03-000000008B02}74166892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B75-6352-7C03-000000008B02}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B75-6352-7C03-000000008B02}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.538{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B75-6352-7C03-000000008B02}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.539{30B46F62-5B75-6352-7C03-000000008B02}7416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.487{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4891C42FA1EDC3C6BC95A4AB6D0152,SHA256=AEF172F794E05A9A953396F9E926EC025B52D4604F4EE9763860C2B2A944F3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:30.747{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D6C394925F2CFEBBCB5836B589D6D2,SHA256=3E7459469B798A0230551A9B578BEC7DA85CF23CED16E1856FB157CAA0519246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.893{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B76-6352-7E03-000000008B02}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.891{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.891{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.890{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.890{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.890{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B76-6352-7E03-000000008B02}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.890{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B76-6352-7E03-000000008B02}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.889{30B46F62-5B76-6352-7E03-000000008B02}6440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.592{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87EFEF3D7C6909AC4E708563BB1ED82C,SHA256=08C6CC878B6C676D27C0342A9CE41ADF26DF2CE8455AC5ABFB84CA34884FCA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5C3D33D3EC50A8A975D508E5603E7B,SHA256=8A885C218B7D872D517333CC37843B42CFC0901DA7527CD145B36A7F50FD0DB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B76-6352-7D03-000000008B02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B76-6352-7D03-000000008B02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.211{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B76-6352-7D03-000000008B02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.212{30B46F62-5B76-6352-7D03-000000008B02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:30.174{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C72687EEC4F8D2BA2458671579C2FD1E,SHA256=587EB88F6B3AF9EC2E150983CFCA91104085DABD257BCB1F2F23430B91D33544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.998{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.985{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.980{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.977{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.966{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.947{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000200256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.821{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25B536551EC5CF833AF61C8481ADAAB,SHA256=4F4638420C2DC03779012AC093B42E3C6337FF98C0F7ECD31A4AA7733BACFFC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.818{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.792{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.770{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:31.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000291052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:31.814{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5E4C8A4F77D2CCD0C0807C4E5A0C0800,SHA256=DF4EF8324C64F8ABCBD1C3610C0510CFA9AFF63FA82607119E4B4D61A934BB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:31.598{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6405E2885F9F99CE14DC868106DFAFF7,SHA256=757D884E839E8B27C6485081FFCEC3EE7E7ADEA15A3F9D887358E6479305AC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.293{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000200250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:29.111{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000200249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:28.439{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:32.644{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0409AC11EBF1AC809AF8D075F51612,SHA256=4C0D579BB29ADB8BEB2AAEE6BBB15A1DDE9EA653E6D91F6569C2BD6A0D352211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:29.602{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.034{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.031{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.028{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.026{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.025{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.018{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.016{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.014{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.013{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000200271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:32.006{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000291066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.718{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9444568F660738A101A5F8BE28B4C0,SHA256=0820037BE815982382F8BC0B5D48B12E9A2B28215A724229174C2A7C99EE1594,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:31.723{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57181-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000291064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:31.723{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57181-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000200281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:33.131{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043701700B3D947B5FDA4C93B1BA055F,SHA256=75A7AD711F5EA1F79DC7822E11CC9A36C191536E8459C49D7A28CA0888F80312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.461{30B46F62-5B79-6352-7F03-000000008B02}13686204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.296{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B79-6352-7F03-000000008B02}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.294{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.294{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.294{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.294{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B79-6352-7F03-000000008B02}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.294{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.293{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B79-6352-7F03-000000008B02}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:33.293{30B46F62-5B79-6352-7F03-000000008B02}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.720{30B46F62-5B7A-6352-8003-000000008B02}74326436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.704{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299A86DADD5036772022EDE5A1A70117,SHA256=49F99AFAAEFBD544DCA5583B26561148E43FE5AF182A08A6909FF9D7110DD09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:34.211{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7EAEAA08AAC3ADCDEAE247D07D28C0,SHA256=0B08D443080B082CCE67716DB957F5F9F8F239E31E52949EBB6AAB1F27D75976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.502{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B7A-6352-8003-000000008B02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.499{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.499{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.499{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.499{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.499{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5B7A-6352-8003-000000008B02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.498{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B7A-6352-8003-000000008B02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:34.498{30B46F62-5B7A-6352-8003-000000008B02}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.869{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.870{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.853{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3817183113D055969ECF862CAF96AE39,SHA256=AEC0942203A0B96D34D70A84704174460E9E3586B8D66A74AF509CA6032CCD61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:35.294{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CFC41FDC0FC4F24A0BD7B527931F59,SHA256=406D5149D5A790A037663B9213FBEE95AA4624B8EC3BE41A9C80C07C5C1F951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.601{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE27ED4E7AAEA5A208329D84BF9A5F9,SHA256=83C2E9C6A7F0DECFC3C6DEA21DD576FCB30C3C460A759FCF3DE7F28B5060549B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.367{30B46F62-5B7B-6352-8103-000000008B02}79607468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5B7B-6352-8103-000000008B02}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5B7B-6352-8103-000000008B02}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.184{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5B7B-6352-8103-000000008B02}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.185{30B46F62-5B7B-6352-8103-000000008B02}7960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.910{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB1ABFF7B16741AFCF607C004F4CD8B,SHA256=04EEE627D66F2540C9366D4C8741256ED11FD06EAFD448EAABD49859BB5D289B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:34.356{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:36.387{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBED2BAE4EF2CF38A24786C64936E461,SHA256=E37C6127A7CF9A7545A841A7532041BA5CD56F557BAA15611B4076655C7E7CA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:36.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5B7B-6352-8203-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000291104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:37.957{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F490E690B8549A93E8983C9589161A2,SHA256=432550A6E6932354AB6487BBBD4F9B1357C5EFC91BA79C15904A89A97153DA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:37.486{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09EBF3141C9C9303DFA03CFE6BBBE0C,SHA256=E842B337B7873F921951B5954F5469FE55F874650C4C1975D485638F30D39277,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:35.601{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:38.571{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46CAE44CA89CFB9FE5EC9CD70C28BDA,SHA256=BF46192CC81E1CE84EF19532454310E564389EA352A15E33F1E81099638A85E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:39.655{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F275A53B0723A05B67D40A0DE29A8DBA,SHA256=ABC7137B2DF659865459784862184C491AD099B67022D4E4DAFAE6C1BD8053AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:39.042{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109F8A969E429A1D9080BC795FBC332B,SHA256=0AFB4F83362337A42BFCA33AC1B1C75A0A53EF23BB4B6FDAACD0A9FC8A2EC18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:40.743{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7DC1E44ABECAE9DE03D23C5BBB5D72,SHA256=F2CBCC2764B5ECE85EB0E7F1AC505FE3901762D91D50B609676E81C7D65B22BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:40.076{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541A63789A277B0A95311B25EE343917,SHA256=16AF0F0A0551B2FFCC96754C5F840C39B978C5DDBDB3E39222BE793109A2844C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:41.833{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEB928A1A8AD6DF57739D3B1DE73276,SHA256=3821622136C592B94F0DAC9E82658863918D486663A967750F91749CDEF677F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:41.135{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3802813DA9D658AD42A45285CE6DD6B,SHA256=5F626F58DF0BBFFC73412053C5879897E424210D87C2F1C988D3A47BA1ACD361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:39.377{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:42.937{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B123328CD566B9F37ACF2B3C4B56D108,SHA256=943ED924DDA79F1C7EA176DB2FEAB7290A0802BE13F8730D7B53D8ABBCD532FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:42.196{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F28B263FA71B4929A9C6E845C36811,SHA256=38B04A22EBF663C18DF8DB80458FF60C7C9ABB9DD38EFA43ADDD71B93661A318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.994{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.984{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.952{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.938{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.923{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.907{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.897{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.830{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.824{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000291109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:43.284{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D703939E1775A3820A3E3E8A205120D,SHA256=04B64E2684ACAEAD379599126331570CD6836CA03D7867FB25A029126E025DFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:41.584{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.524{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.520{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000291133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.314{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021A0E01C009676C8609AAAF69E6F46A,SHA256=6D8F3A803E85C151FBDFF4F0310AAED53545FD85A010ACC88E136B89326F5A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:44.025{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76167EF4608C0C8478B6488670478D9B,SHA256=7A1E249476C6181434CFD44781260762BCAD9D624D533665EA21482B90CC23FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.125{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.117{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.115{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.106{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.105{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.089{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.080{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.076{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.073{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.070{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.060{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.051{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.020{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:44.008{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000291137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:45.388{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319B74304873722445AF90585BA23F86,SHA256=AA470CC103145E1ACFF3DC5DC86D7374C00536105D707E01AB7EFACDA65C5142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.907{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=25A81DB77AEC8576F92C520B8A101114,SHA256=FB63633A32B1984D35672B3C1CC3FE7F889FA8AF22B2F5C3D922EA0C1C5F8CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.846{EFF5EEA8-5B85-6352-CD02-000000008C02}3272520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.788{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.788{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.787{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.787{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.527{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.528{EFF5EEA8-5B85-6352-CD02-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.122{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EE7699FCDE7960BCEFF86EC4938799,SHA256=CF61D42502B1232AE649DE42DA3BFFA266EBB1645D7A0E0FFA332AB63C6E229B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.546{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFEC748C1599247A4561C67E10412FF5,SHA256=6712C114924BA16E4E13D3C5D62C3F0DE63821562852C7C4F1EF9B380400CAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B86-6352-CF02-000000008C02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B86-6352-CF02-000000008C02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.531{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B86-6352-CF02-000000008C02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.532{EFF5EEA8-5B86-6352-CF02-000000008C02}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.281{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7903E1686A18862FD0EE205E44297A,SHA256=7D3C026816A99D2992C27A0EBA06CDB2BA3ECBFB9A08D8F4A6370BB49D4C34DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:46.550{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:46.549{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 23542300x8000000000000000291139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:46.548{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BE32AD6333D103D7EED68F751A8C7C,SHA256=8296FC89E924B138F808620DF949323D935F3518EF643E507B150692685B7650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:46.547{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000200328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B86-6352-CE02-000000008C02}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B86-6352-CE02-000000008C02}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.032{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B86-6352-CE02-000000008C02}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:46.033{EFF5EEA8-5B86-6352-CE02-000000008C02}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.941{EFF5EEA8-5B87-6352-D102-000000008C02}28961400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 354300x8000000000000000200372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:45.358{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50649-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.774{EFF5EEA8-5B87-6352-D102-000000008C02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.771{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B885CFFEAD7E8CBCBE745CBC45BF806,SHA256=14AAFE82377FF319134008EFE1A59C9EA7D6A7EF659F10582E4FD2DB589619E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.412{EFF5EEA8-5B87-6352-D002-000000008C02}736420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992D878B41F26A6F059E4E63857CE45A,SHA256=783B40710E951309AA7B93B32DE5FF11180985B90BDAB9275120E1BE222FA5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.577{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0823132FA2D2BEFD017404E9326A76,SHA256=7452CDE1D1ED13F54A2508BE4D3C403CA0B60B2C4BAD7E7C36B8BE9B8DEA6354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B87-6352-D002-000000008C02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5B87-6352-D002-000000008C02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.208{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B87-6352-D002-000000008C02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:47.209{EFF5EEA8-5B87-6352-D002-000000008C02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.322{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.321{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.320{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.320{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.320{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.317{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.221{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.220{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.215{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.203{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.200{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.198{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.195{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.192{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.188{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.187{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.186{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.183{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.180{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.178{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.168{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.148{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.140{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.139{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.136{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.122{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.112{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.086{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.079{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.069{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.064{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.062{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.059{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.056{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.055{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.053{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000291142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.052{30B46F62-486C-6352-2D00-000000008B02}27203392C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013438F10) 10341000x8000000000000000200394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.609{EFF5EEA8-5B88-6352-D202-000000008C02}16402828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.516{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A652D6B26FF23CFFC7F24346409823,SHA256=304CCEFB509E17054DC3A0A402027D81B6F78BF5747545DD23CEF245BAC63040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B88-6352-D202-000000008C02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5B88-6352-D202-000000008C02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B88-6352-D202-000000008C02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:48.438{EFF5EEA8-5B88-6352-D202-000000008C02}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:48.711{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA0026AB6D6045C315670AE1AA15741,SHA256=F48D3599BF103EB737E237992B594A6A969A032C34CD9BCA583DE012D6AFFF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.941{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E791FC87A9F611A49A5EA21D1B0275D,SHA256=BCA3DC2E16DEF7F0C7C7CB94AD773E0AA30FF026407DC701917B02DFAD2FDEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.769{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EA011472D9831D09B71863AEC3657D8F,SHA256=545E26677BFD1627BA9D1E11DF43D894CC216B811281D18B5A1A99604B9E30A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:47.481{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:49.797{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471981FFAB6F33F786A998E157919A12,SHA256=F42A88B2DBCC7DE6176C3A4F0BC3B616AE47EE6CF37FE6048DD5226D986B1C78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5B89-6352-D302-000000008C02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5B89-6352-D302-000000008C02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5B89-6352-D302-000000008C02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:49.115{EFF5EEA8-5B89-6352-D302-000000008C02}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:50.803{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2E0167B5D95F8DDCA72FCB1168BF7B,SHA256=2802E35FA22095583B4979A7B44ADA30EBAD5BA730AC302BFF05C9BCEAB65D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:50.955{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69C19F60B854DF8E9691A575890464D,SHA256=D345EF39F2F69985DCA22CB7397C9B11A5056F8D94F83134ED1C8A0FD4818FCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.924{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.877{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.874{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000200424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.869{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0242B2F71E533219DA3B03286CAE3D1,SHA256=F3C139FFB6CCA9E18EA6527680FE8089019C51EA2CE4DB4D4561A631B42AF7E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.861{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.818{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.796{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.791{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.783{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.770{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.760{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.751{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.748{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000200441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:52.968{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C621824890C570C28E633F50815E5C,SHA256=57F452CF888EC3F8B78FBF4F54F53A74FD951669E344E8CC05C37972693E4332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:52.057{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D461C30D3A32720113AF8F60F888CD58,SHA256=D8F3D2A4971A0D24DB4ACB62CDF7C86466FF8F918A9EF55874D3E50604D145FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:53.090{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A04EBFEDF4FA240984CC4D526F51A6,SHA256=050F8CB11B89E5DAC429256F183B58D99AE9283FCCD78684E06C1B2465F9AFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:51.334{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:54.144{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7617B74832C9E034DC773BE59B3054,SHA256=4E7C312D40C783C605E41DB4AA3E96B2BEA7C48C4F019BCE2A800FF8C24FCF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:54.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5695A5AA592EF82936382B491D000BE,SHA256=C400DA0C9FCCCEF92029DF90AFEC13506479A2483DB5D8FC388F7CC7564F8DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:55.224{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D244CB052CFDFA8FF610661DDDA7409,SHA256=95EC2583B0FA1390757D22655FA24A39AF4047B47316865363B27127136B72C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:55.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D85AD9655962C58C52CA56E00A4AE6B,SHA256=86C0FC2E1693CBACF3A5D5411B7B8EA17CDFD327147D61C0E8C07134EEF1720E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000291218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:42:56.610{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e529-0x1defe6f9) 23542300x8000000000000000291217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:56.282{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CB978C1B650732079CEACE80A0E1AB,SHA256=29334C0988A9B34B61CC353FFB39D989C460114CA7070BFB10769E339AF5978D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:56.246{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACB52AB97B540E1EC4DF788F4CFF8E1,SHA256=5B9D020FA07433ADFB6FF9097CC731A9EEDD45F4E2276714AB4038C4E94F4418,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:53.439{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:57.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAB5459FA0E6555F1B975C0EDBBDCF8,SHA256=38EB1E06FB00AA918AF7E45DD27F0B1E84ED53EFB2B2F9A60FC2C5145F1AF835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:57.312{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7E5008E74223674D9AC530C122941B,SHA256=9DC046A3C9D06A2A829AB3D63743A2CFD0EE302FCD4C00740A1AC4BDC1E4D09A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:56.560{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:58.410{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FD525CB243E0BA75B254209A6977D9,SHA256=3D9FB733520F0C61F23E6B979897DBABFED6E1109F89AB42D8961D274DB161F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:58.331{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8B0EE0986C7B0DFBBFCE7E8CBCCA5C,SHA256=6C04B58F4AE4195C85BD0C31C77A339EEB52595F2D517934DA0BF145527FC4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:42:59.515{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946BC8BCF12F675CD1AFF28D4425729F,SHA256=A195D4B28766F500A17BDCD48FAFF565B171EABBA9442F642474A242E74CC55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:59.432{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8454865DAABAB6FA732C645C37C6B1,SHA256=AB98D243D8223035C136C4572EBD72B0449FECF5474B25689A9C1FD37B8F5FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:00.604{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1549F4AD18D19DB5F0F6B295A67B0424,SHA256=8D5ECC7C61AE50E57AEEBDF35C1A4B07718C9C5D4931EFD2B51930C16CE02028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:00.503{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9442304C2FBE91135CBEC869072D010,SHA256=E1D9AB50273EF6C392E1FF30AB7B4D087A650B6804B3F3D6E7010EDF60FC8CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:01.692{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA1B010B1AB947245C3098C7A9225F9,SHA256=E5045228980CA724062782B898BE5CD076A6806D1842BC2D407B1820F92B499D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:01.877{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0CA2FBF3DA71D093F8035B6C4DB5B972,SHA256=3B0045621D17A11C18BBDD59B0D3C87D672402154826E9E51044E672BFF5CF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:01.576{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CAD4897D0FE2ED8D26DFDF72CD15C8,SHA256=A5EE0C5E2D5CDF9C821F1B7249A636427C5F8D5F666F12B0D155D27DD82CFDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:02.803{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96684C85FD6E2340DEB0070E63D2027,SHA256=61D040A96F8155CF3D0EA7D8557027776B2C8A086A4FF427A322FE38B0ED1C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:02.657{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758CBEC7938E86356FC8208879AF7B16,SHA256=2ED03DE2494CC100FF5AB8A0EECE8B93527739D8800650051FD08EECAEB862C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:42:59.452{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:03.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D341743D56B0F41E92733395080DA0C1,SHA256=341C8DFE291C30D6080EB03175E1EFB673B7525266B6B7D216920F61EC1010BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.992{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.989{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.974{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000291238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6F04BBD61CED9C4723C995A1C38CB632,SHA256=5F7428D4D1012E2821E9F9EBFA759A70669831404076B6EED440B68A6111B81F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.961{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.951{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.942{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.916{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.903{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.895{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.884{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.872{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.825{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.822{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000291227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:03.778{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E88B9B111A7A3309171A6B29547338,SHA256=2075AE23545E14B6C76F3610986186707673D17EAA6F6E6E0912D96D59A229E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:04.991{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027F78DD0426520B89E77E696AC06AD3,SHA256=39BE372136A2B5E1F7B08678F04064991116127F03F13357DEC181D2FA76E941,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:02.519{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.808{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF94EAE59A5E4076309732AE8DB287F7,SHA256=5FC0E3504A6563CA84081EAB1A39F0F2809CC83634C1264A408BEED468CD6789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:04.866{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0A8EAAD60FAC6C539549F5E3B8CFB46C,SHA256=2763A86C257A7AFDD51C2E8610317515FCBC5A02C4D9C20D49F33ECF6662708E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.542{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.538{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.042{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.036{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.033{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.026{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.024{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.016{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.010{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.007{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.005{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.003{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000291255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:05.859{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C044FCD72068D34CF1B0608C5E294B,SHA256=078FAE3AE015F3A8B70C2B17A5B727DAA47432CBB62146334B5A1BA40A821AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:06.944{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FA39D7D7D69C94C5E4E337EEE5C42F,SHA256=0649A3134669715305387502C5CCC920CC9F1BA9F5126F97E7BCFC3530D73D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:06.088{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1FD29BF1166713F9EB48825995245A,SHA256=087CC5B9FCD97CFB16A3F82984228CE88464A6942C326A5807E226778E533037,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:06.562{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:06.561{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:06.559{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000200458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:07.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDF62C43AAC18FFA4915F4FAAA3A23B,SHA256=BEF7EF4863EABA10394CDE7E012315EF5A4EE68B8FEF011BE8801C07D0F2C79C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:04.454{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.253{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.253{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.251{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.234{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.231{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.229{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.225{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.221{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.219{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.218{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.217{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.214{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.209{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.207{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.200{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.182{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.172{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.168{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.165{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.152{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.144{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.116{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.110{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.103{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.097{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.095{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.092{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.090{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.089{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.087{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000291260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:07.086{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000200463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.459{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.459{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.459{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.289{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E83BFE20BBBC57749D65986FAB21A7C,SHA256=6F3C60F92FA985DA010343838F234725ED6501B7F25D8C7898BACBF072387901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.260{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-079MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:08.233{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC11CB2C65A1095D6F6E112B3ACBC2B1,SHA256=A125508AD980B2B58DAAA3F458C73D44D2CD3E65B672C659B30026B67A4E37B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:09.395{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E789B8C5F6FAE4E3D5A92339664ACF,SHA256=96E8DD5C895350BE81F8B6CD5D12D8383D7BCEFE6B53CD680E657558ABA26107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:09.250{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BD3C51D496D2033943CB8392E2C033,SHA256=1CB8462643E2FD1EA768F9DFDF0A5E2CA61EE8BC2D670CED3379BC48A9F9970C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:09.272{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:10.501{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB055993F165D43F4E66CA8126E7CD3,SHA256=CA89FF8E3EF8631E8DE4BC3EA26E2D2F3E15D92E04D8B0BC865701FA28A897D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:10.336{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE35B35F0D82F905FA86A3DB54E2C73,SHA256=10E5246ADE0A582E64EDE70603D410BBB7A09181D3761B42BE51C876810BAF69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.927{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.810{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.792{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.769{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000200469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000200468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:11.583{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D3624E37AEA6266428FF9D8E28F228,SHA256=36C8943B5C59AF751F16C558F959FC587D1A2E9292AE29D0EE0AA4A3BC5F7DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:11.372{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5E7971A8509467383C828602499224,SHA256=68D1102F34B9A33CF221C89F387AECBD833C03C2B89601ABD45A99E12A74DB72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:08.519{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50653-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:12.878{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16612FF64F2321435113A498803D2D42,SHA256=CF1330164DF62CD10E9E706B6BE7CF521E6138F6DC15BBA1F0D98146995CF2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:12.424{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA4BEC92A1574E4376938DA25822AF4,SHA256=1F7F1BA84B7D709620C01529E2B6A055E95ADAECAC1ABDBCB4D8281ACE5A8A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:09.515{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57188-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:13.973{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC08692DFE96AB2086148D73EF686E13,SHA256=601E56D6902978AA2E9439E2363DF18098F35EA53D9FA8D411ACCF9DE0F1E579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:13.511{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AB14D5FD28BC4EB4A0228A8C312871,SHA256=32D4D6FD40C679DCDB167274C7D6BA0102EDB7C5759805132460560456AD2979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:14.560{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC75BB717B55E02E045A5A4E7F383AC,SHA256=9F3ED1003D4B5215AD7C4204D3110194087FFC6FC73481E89FC4DADDC68F4732,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:15.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7227D611633F10CCB538A96912A313,SHA256=4E2DF143C260854E2F7A959F948AC7D9857378FB39BE7A4A259DE96AF94B86D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:15.377{EFF5EEA8-485F-6352-0D00-000000008C02}7881196C:\Windows\system32\svchost.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:15.081{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D09DC658A17222B4D549F9FC992B4,SHA256=6786CB773A46180D03ABA154D1C3EC5C993420212D336D0D86B3FFC79C0689CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:16.681{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ACF99901B2C0764D2F7BCD4AC19E282,SHA256=40029B5551F4A5F9FE7D5E2F3B345CE79FD008E5992962E0B9B4A05DB8CE45C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:16.169{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC2C41FED446788ABFC2D1CF6BB0C45,SHA256=C8B56162F29B9BA0F01EC0DA6BEB8388DEBA08ADA7F3A42A19832D9CA508704D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:17.751{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E31B7A78CE666F0568528D6AC0505C,SHA256=0DF559558AB56EF7C8B872A4449E699BA07A46C67F1F27E902B1CB5E56182CE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:14.547{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50654-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:17.371{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218835C8901C11D0D0B91A6EF2063745,SHA256=5A6CBD71BC9F0CF0BDCEE19690BD6E4A80B9EF9D91DBEA9AF4ECE54F08E57A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:14.550{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57189-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:18.837{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B288E6CD5AD5067BB7C36B3A7BE9C48C,SHA256=66A471D6335323CF1B798145690876F820B7ACE09B58754A32249B07687E3E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:18.479{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4758EAB8FC8C417F9D0AD4A7B903A7E9,SHA256=8588F667D6EBB042E3BF3A87481C83B097939174A1B9C5C6E622A1E6E464CF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:19.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE1DF113707D792FA85E8E2511E24E5,SHA256=C7BF6195EB7F79A48C8FB1B0EF8C34C3DBDA2F6CCF00B6FACE7318828712B9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:19.557{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43861434D3B4488541BE042C1FCE41C,SHA256=4531995C4AA44BF1082B73898E6D0F714F0AFA17FA284430B2AC886731EC4813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:20.666{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF5F72917D12674B57B493681F72182,SHA256=DF564F422AC5215BC4173E0A2DEC250974F7CC2BD38C5F3CEEDE9DB46DB9AF1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:20.471{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:20.471{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:20.471{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:20.243{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-079MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:20.041{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=66816714FE4EDEC2790C1F75838D6E4B,SHA256=03E6703AB253DBD79075E6D4A99505BADF69E3A198BC6C38F7271CDF84EBE289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:21.779{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13784664EC873F932C0B17FB412263E8,SHA256=59E846D4C879BB3CB75C5E69A84C07CA526E7CEA0DA0C9E8AC8CD0EE4DB2FC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:21.244{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-080MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:21.043{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10578ACB91B1D0F4972A86D533EFD5F6,SHA256=4014969C6060044F9524DE1E4CE5BB54A1863D25554F1181C5577C265A5E0CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:22.885{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE3CBFEDDA8501223D13C81AB5D16E0,SHA256=8614198267E5B8DFA1B71A6C11C49D9E68856A0975FC9D0AECE382736D30DAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:22.146{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB58A403C2E94114249E091BCB8F449,SHA256=88EC19D789144111F7C037AE81B260C25B21CAD8400B9F7BF78D49B416F357FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:23.962{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB106155FE34BF94606BDD783AEEF75C,SHA256=733488B15013856B7CFDE0B6C3A57CCD64098B8AE28E442BAC4EC8B3FFA2FE6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.995{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.993{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.990{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.988{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.983{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.976{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.964{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.957{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.948{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.940{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.915{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.903{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.892{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.882{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.874{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.827{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.824{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000291314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:20.393{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57190-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:23.247{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D511B5B43ECC32D7F3EE8D81A080429C,SHA256=BBAA30C1DBB15FC0AF943C8553630BA9F60FCC4969D15665633F094C7E2137F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:20.559{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.409{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.406{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000291338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.300{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2705E96C592CC03CC70B44C8A1A41AA6,SHA256=5C8FF42F43443E318970E2A69EDFC5DBB3AB489E67CD2FB84E35631EEDF8CFBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.025{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.021{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.019{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.012{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.011{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:24.003{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000291341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:25.422{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC7687D456575F3FCE0D0EACC62CA5E,SHA256=0ADF127F22D69265B655CC768C475EEBEE0179F97EB856815F51ED641D432B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:25.049{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12DFFF93D0C8ED89F14577F5DC97DBB,SHA256=FBDE261B03D7A1D65335CC14CB98D4B8A1F034D2DC1511535907FA489B555FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.979{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.973{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.966{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.961{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.960{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.957{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.955{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.954{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.952{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.951{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000291349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.431{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6CCB75B60E8DE93349799EB6B9B5AE,SHA256=F7AEAC7FFDBA008BFBF919BA4C4772F9835019AACBB7948F457B522887DEC015,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.428{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.424{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000200515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:26.148{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80B3D3217F2595D386D3E3EC4035171,SHA256=20E24C433F112BCDE3D2D3399032410624E178CA6A332BD9AA659CF3F814606E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.421{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.313{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.313{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.313{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:26.301{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.851{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2504CDD04ED0ACD80B0BDC5ED79F3BF,SHA256=10D1E77E3E66EC922BE76F7C8A3FC81A450E75AB8B78988DC10E5A734388AA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:27.220{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00914341A1A6E02BD40A4B4B18D4F13D,SHA256=42E7FBC57E6CFB7129D2F907694B8D5BBA048C31C70FABDA9938455ADFCBD905,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:25.521{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57191-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.178{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.177{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.175{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.160{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.157{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.154{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.149{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.146{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.142{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.141{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.140{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.135{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.131{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.129{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.118{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.084{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.066{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.064{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.061{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.036{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000291360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:27.006{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000291383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:28.924{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD073FC30231C7154184A225ACF421D,SHA256=4969C342E2FA62D82A4B27458BC60F1C292FC9E32C272D731C91FF5855EF0599,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:26.531{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:28.309{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923E77700AF08FD984BF49048B2D02A0,SHA256=49D91019CECF16D293D3C99160599BE799BBB953F6038715A4740B6DF8D998AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.969{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410955FD8BC0783014C7CDDDF3131C4A,SHA256=F48032B9E63525326DB8E9A17E8AE0F341B83F4400834D6E03A83795AACDAFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.969{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:29.844{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:29.389{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1958EC3F7A662EB8E91A83141A8045,SHA256=F039E7ED73E8E39009DE0E9B982EC0A10F750B75483E69D7F51C670125C3957D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.869{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2CBB029902A7BF5348DD61143375AF4,SHA256=A89BE5AE7665130F62F1816D6B11A1C1F3977DD9D9A29BD683E29623A78A2B74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.787{30B46F62-5BB1-6352-8303-000000008B02}9644560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.738{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.738{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.737{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.737{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.737{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.737{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.553{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.554{30B46F62-5BB1-6352-8303-000000008B02}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:30.483{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFBD32E69FDD78D262A54985CF68BEA,SHA256=F3ACC035479D3FAF554EBD72CE3520BE93CE81B131984C662116F42D784A3137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.696{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C5DEF6E3A9F84B55E2176DC2DA986F,SHA256=E2D899425572BF9C71D3596BF2C0D5FEAD7BF7E74F4D8BA1E693C1BAC613A32C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB2-6352-8503-000000008B02}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BB2-6352-8503-000000008B02}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.580{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB2-6352-8503-000000008B02}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.581{30B46F62-5BB2-6352-8503-000000008B02}7916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB2-6352-8403-000000008B02}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BB2-6352-8403-000000008B02}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.056{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB2-6352-8403-000000008B02}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:30.058{30B46F62-5BB2-6352-8403-000000008B02}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.976{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.965{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.964{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.951{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.950{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.946{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.937{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.878{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.866{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.812{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.807{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.798{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.775{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.764{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000200524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.761{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000200523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:29.140{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000200522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:31.580{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A1C1C593C8FAF1805BA4D3F6A03BB3,SHA256=45E440465A0C64C21602FE8FEB70B0F04764BCC7242484024F004FF3DDCE2F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:31.982{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF245D17814AACBDC8B9FDDA5C24E114,SHA256=BEA6F61D4048CCCFA6CD2B3608A70FAAC84184DE2BC58D2C04F33646658812D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:29.321{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57192-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000291419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:31.081{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92C6D2EC17902604FA0334591FEF99B,SHA256=77CA4C1963D5C6A2152D78F3997FAF76FBDCD77F4F2CF7AF44ED135ECD08EB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:32.154{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48203331BC82506B0D203686D26CFC20,SHA256=937FAB3704836676F14699EF6CA3F7EC3FD9979140EB2E1709BD7853CC681319,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.487{30B46F62-5BB5-6352-8603-000000008B02}63205464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000291432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:31.433{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB5-6352-8603-000000008B02}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAC9245D6224148A46FC5E4E57FD5A5,SHA256=E2773339E4FA672F3B745DF282D485CF0C3CFED31DA86A22D686C10E99FC79FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BB5-6352-8603-000000008B02}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.303{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB5-6352-8603-000000008B02}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:33.304{30B46F62-5BB5-6352-8603-000000008B02}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:33.167{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DE40858706F40DFA35A3D723A20949,SHA256=0BA4862053CC4BBCF4985D1CE374B9798272EB17E05ED11DAAF7DADC312B9153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.689{30B46F62-5BB6-6352-8703-000000008B02}45207012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB6-6352-8703-000000008B02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BB6-6352-8703-000000008B02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.504{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB6-6352-8703-000000008B02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.505{30B46F62-5BB6-6352-8703-000000008B02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000291436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:31.734{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000291435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:31.734{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57194-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000291434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:34.360{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A984652B46EE1127B4DFC85B8F3DBB,SHA256=1BAD49870B877744B902DBCA4990D1A0F2D3F411C3BAF25C17E7F1CA66F36E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:32.430{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:34.221{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491FE4D15C88B2D0C0160BBDBA2A957A,SHA256=37F6056EA6F7628D3C55127DAE9ADF738FB9703B13FA7DC9DF5677FE3A2F138D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB7-6352-8903-000000008B02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BB7-6352-8903-000000008B02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.690{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB7-6352-8903-000000008B02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.691{30B46F62-5BB7-6352-8903-000000008B02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.445{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7DE6247918339FCED507DE9634E487,SHA256=276EB952812E6AACAF807543FA89876683AAE09FE84ED54D5BDC6B72264D6CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.374{30B46F62-5BB7-6352-8803-000000008B02}78447908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:35.299{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76FAB4D9D896F7EEC4310687733A99A,SHA256=3304C7CE87D0B4AE1862C95456EDBB8D21465BFEE125FDF635E7430EB2AF96BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BB7-6352-8803-000000008B02}7844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5BB7-6352-8803-000000008B02}7844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.189{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BB7-6352-8803-000000008B02}7844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:35.190{30B46F62-5BB7-6352-8803-000000008B02}7844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:36.706{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5CC56C17CC11442EC9E931CDF9F7C1,SHA256=B39EDA0527259399F987A06F98DBAA3D31C2EDB883A5125A0630078FDD9C848B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:36.522{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2759607676C037F3C8F7A989D3F0284F,SHA256=CA51E23BC531E4AEC30B66FABF88B015E49081886304B2B3B42A6CE9C4A1FAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:36.383{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C8F6C864506109C72D9F270CA28BAF,SHA256=D2D2994917E10B3364C8ADA30D173EE34D2F4BEC3973E927B0DAFF2F5086A149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:37.472{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA982970DCB21D4F1A331D749472D10E,SHA256=73A77A33EAE7F3857B1AD355AC2E01E0473EEF1BE564CCBD31AE0C8CB77DEE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:37.592{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E6E2D152BFADD6BAB48CD08B9BBF42,SHA256=6F25F669751E78D6D0538D3DC09DEDDF9CA68A7A760214694560E744B550D413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:38.566{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098BAE599A7C93068C56D9DFF5A34F1D,SHA256=5A29E2D3D40532491C7140459FDFCEABF34B9A520C5160B5959EAFD1DA102DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:38.642{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758ED5ACA81137ACCF15737977E4E899,SHA256=0F354E78B1D46FDDD6BFECAE66C77BC82237D266F0D479DD2BE6479F7B7EFABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:36.527{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:39.646{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8894B146B0950504E74F24A21930D1,SHA256=66EC3B0B5EE8D0576BF8E0E6C9DD144A0033A6C8CE38C865D4AE445B65377950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:39.665{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3054C98AFF8ED67C85395B280DDC501,SHA256=8189CC07F83F8AB2584398A09AFA2555683E550D76AD1D03C5A0B90780B0EE1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:38.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:40.726{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C8E9BB6264EE0E6E74469928EEC12C,SHA256=27F19BD4D1AF056108906408043B891D96AC3C516AD6D2308D631072F4B0E936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:40.726{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5CC1C1625078556CB080E9F51F1B43,SHA256=F75A8F98C4741AF22533B49FE1D1032B7F77B08DA82F8423458769DEA1F96EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:41.830{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184F3C83750262268D863E59004E0815,SHA256=5B5A1732AD12509D128D2C47818F55CFE4AA27DF9FE225A21670A916E55042AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:41.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC16BE6DD2D06BCE58CB6BCE552310E8,SHA256=098211B3A4924AB7C3D6C2C6776DA9CE01BB76341AF8992E451548A7123FDED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:42.944{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935525B18975DEC93E540BD2197513A2,SHA256=CE7E758878F3837A476E57B6372394FA8D1F48B370D01F3C2292521EB4C50415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:42.869{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97EEC041B7D9D61D12F3664D51AB7E2,SHA256=6ACB10EBB1826981D5E96F53029E2CBC1BA02FFA83A160FBEE33671C26AFC41F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.981{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.967{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.919{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E42FEE5E3F1C2B6EA9999918C23B4E7,SHA256=34C34CDAE19F303693072B22ABA23AB247FB75CC74CBCA8CEA49B81CE77301F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.917{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.899{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.891{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.879{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.866{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.816{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:43.813{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.973{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E27B79EFBFE9D98C66DF41EBABA33A,SHA256=53300B5CABAC8ACBF889E8703041050D1FC1B3388524257859D44043F4F35F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:44.003{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CEDFA1A676210EC2125066BCCD86B90,SHA256=B9B1917E2A5C04C6C383124B7A41376D6CF2852DC947C4BA70AB306D06E871F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.587{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.582{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 354300x8000000000000000291497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:42.564{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57196-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.169{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.158{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.152{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.137{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.132{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.111{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.073{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.059{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.057{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.049{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.037{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.025{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.010{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:44.001{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.755{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B4E80F6E9768434091CAC953FF956DD0,SHA256=5A646AA37ACD6D1EEAA09C3C5CCA8DBB894618B131C9781D0A5F92091D7B9227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.711{EFF5EEA8-5BC1-6352-D402-000000008C02}16522516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.670{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.669{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.533{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.534{EFF5EEA8-5BC1-6352-D402-000000008C02}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:45.098{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3B71A4A70CC08FC1B1676761389940,SHA256=5A8DF011298ED38BC406607BF1702B260EBA511F92FE384AB867E6B0B26F20CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:44.424{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC2-6352-D602-000000008C02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BC2-6352-D602-000000008C02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.876{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC2-6352-D602-000000008C02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.877{EFF5EEA8-5BC2-6352-D602-000000008C02}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.730{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84C373B2970538EF5BA479783B490835,SHA256=1996063AA8A1AFAA7D0773EDFAABAC12F13FB5E21F2050772BE4CB625DDBF97A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.378{EFF5EEA8-5BC2-6352-D502-000000008C02}33363424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC2-6352-D502-000000008C02}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BC2-6352-D502-000000008C02}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.206{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC2-6352-D502-000000008C02}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.207{EFF5EEA8-5BC2-6352-D502-000000008C02}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:46.194{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A709A95CA1DB3CF5C5DF42D0B61A1F6C,SHA256=EB57E30632509ADE1BB9B62BA95B8EFA49DBF355BED4C5E4FF0C8AED9783C9BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:46.606{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:46.605{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:46.603{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:46.051{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928FF13CBDAA09F80194AEE87E3C1CDB,SHA256=9B7CC30171658394B9836242EEB61CF9D63A9003773E5DD3A5E9A278DAD49149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.692{EFF5EEA8-5BC3-6352-D702-000000008C02}23563416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC3-6352-D702-000000008C02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BC3-6352-D702-000000008C02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC3-6352-D702-000000008C02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.507{EFF5EEA8-5BC3-6352-D702-000000008C02}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:47.504{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26633D5DD80A41ABD29C4394C49445DB,SHA256=4BD81326D4B87F05336B89BBB8C1543FC4B48601D02866A2BDA00059C930EA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.322{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.321{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.319{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.304{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.301{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.299{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.293{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.290{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.286{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.285{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.284{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.281{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.279{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.277{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.269{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.247{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.239{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.231{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.229{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.211{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.200{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.177{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.167{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.154{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.144{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.142{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.137{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.131{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.130{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.128{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.121{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:47.104{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684FE7A5E37CFD2E8FCB9D0D534560D8,SHA256=24611AD0010C9F18CFD4DDFE65211EB4D5F3E1E9A2549B3068F760EF0EAEF15A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.916{EFF5EEA8-5BC4-6352-D902-000000008C02}31283308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.745{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC4-6352-D902-000000008C02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.739{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BC4-6352-D902-000000008C02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.738{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.737{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC4-6352-D902-000000008C02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.737{EFF5EEA8-5BC4-6352-D902-000000008C02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.736{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A056139F20E616BD7DF86DBD901F1C56,SHA256=B364DB235F459277DC6EF97DD32B2375E49880EAE6DA2CDF03B2B4CF2135BDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:48.338{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE7D3B607B204741E49E5D3A6DF4C77,SHA256=0B03B0627217B69E131CE1B8C34DDD1860CB96C5F4812C8C8874875470A4E6C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC4-6352-D802-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5BC4-6352-D802-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.120{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC4-6352-D802-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:48.121{EFF5EEA8-5BC4-6352-D802-000000008C02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.931{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C5DA4704D9B8D46DD952B0A9AA7A32,SHA256=F0FCC74C62C68B9DAEF61860AF1B444339F9C1A5BCFA0B35F72D45331B397A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:49.424{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBD54AA98BE596B77322D58BE73FF27,SHA256=CCB43E3DD2424C8F1F32D977D74517CDFC1DBFC6E1F5AFE3CB3075D1294D6416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.305{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE3FE6BF6DE1EBEA5FAA9F651C35ADB8,SHA256=F85D2B7186DC38904AB62FA1C74C07C67ABA954BCF561F601CD3C994661C0F70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BC5-6352-DA02-000000008C02}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BC5-6352-DA02-000000008C02}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.289{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BC5-6352-DA02-000000008C02}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.290{EFF5EEA8-5BC5-6352-DA02-000000008C02}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:50.991{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763D6FC6D5C15BA85A7D16F03E1639EC,SHA256=531CE243CD15294C16A852ECFCD8DEB6203FC30882ADC9F4FCEDEBEE13855BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:50.559{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D77BD697F1F663505D14E412270AB0,SHA256=71DBA07072ABDEB92A93F24F7669670FB015F3032D7034F8C7A1D63A6255FD64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:48.493{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57197-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:51.662{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AA36B24AF4FA64B5FC2E20DD2AD9EA,SHA256=F90190B4D4FD18B4C4C46E7CC27830AD1DFBA9E83CBF3ACAF3140EE96B256420,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.860{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.859{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.850{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.814{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.808{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.778{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.771{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.750{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:51.748{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000291542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:52.713{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEE4EFCC7547DD7092CEAB27DC2A0FC,SHA256=CCE3902AAFF612E22D8EBC56249F78D1CA965D66778F597792A5325C552A0A0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:49.569{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50661-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:52.317{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B256086C9B8824C15AD84880CD35357,SHA256=0553454796E023697BFE8AC226A34730FEA86F28DD8C4DCBEBA152417D88A7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:53.763{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B547472965CE94B00A12AD5F02C789,SHA256=7D991A9C3C5A931D8F0E525724ECA219EB2184D08D7B7501D0A1652CE84BAC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:53.380{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6A76FFB9064147850B6BB56A867C96,SHA256=19C4EA7C5ED4C08CCF0AE59E8383D90C00BD7962B1CBD0B8D5A43097894B4DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:54.831{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCEC2ECFE83F7EDEC6399EC0D0E48AD,SHA256=4DEDB65E2CF83529EB12958A97244211B2C5C2001ADDDD5244D27393F6C830EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:54.472{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7073AE211B8135FEF3545FFA610DD8FE,SHA256=660526B082D3C4E8AFF77B0D16AA3FB6A07BA295A5A0D9EA055A9A2FB65CF87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:55.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF070328099D3BCF511BA71E2D7E572,SHA256=E7E698BA9EC103E04F6FAE919745E95F75B2A398EAC753D9AAFCEA5D9F1984A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:55.565{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EC91DAECC7D587781EDA8D787D13AB,SHA256=41AD643490AE4342958F001AC1298EFC7D8A61F145C909D27CF615A1BAB62414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:56.949{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136ED4B5F72320270D3F4BB247130DF8,SHA256=257A37AE144F4A1F14B6A6836AC894EE42F2AD645A6D48BE014AFD2823B0CE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:56.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DC8814A15A27B550F4F9FCFF83552B,SHA256=561DD65D71A504CCFB03F8294780FB70BA4432E6CDEB56E4FFABA5C6709EEDA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:54.468{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:57.990{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BAA2087BB63B6919612C742A6A9228,SHA256=29736D72323207537DA840E9B26976602E2A5BA3DEBD01952F1302C09E3710A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:57.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECAB83E71DB00B644FDB9B67934F7AC,SHA256=6A1A35B8FD8CCEB53100B9ED9697EC1712EF248F50E8ACD09DC337E377053276,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:55.490{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:58.836{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393260F28B779BC8502B0085709CFBB2,SHA256=49189311A6701B989F77D719C6367D26936CBB0462060BE1634B9DC5245A5154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:43:59.924{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C5EF35F940AB851D48D4A2078A2FF8,SHA256=7BB0E9EFA3F947930411754D134EB1480E89A17E9221FF1EC447B3031819A18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:43:59.036{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C3E644213C91085C472FF7B69C84AA,SHA256=AA2EEDCC5DFAFDF422118E6AC2CA57E9DC83F903C277F1AC894A7D2D30BD702E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:00.169{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B24AFB565A67FCF75AEACDE051F6613,SHA256=4B3915A3A776440DDA74B24F212E4E9B27702E21FD674B19AC4F8598D605CFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:01.229{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772BCBB5F17F8237DF5B069898798CB1,SHA256=DF281C4A96A724BB9D3CAE4CBA13DCAA4F0F37B6922F45DE693052E7FAD0E726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:01.004{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B7AABB9C15679A0E76FB9732807186,SHA256=C60A064DF7B6A412A1127DD6D114EFB26830A31C9FCC78FD9E52D561973EEA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:02.098{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A052D253CA14887C82B10D54BDE5D9,SHA256=47D2B111CA64471949702513B13BD519710E3B3DB62FB22E1A4215EAC5226E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:00.426{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:02.281{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6B9AA65D7F7CB32F1C18F8E57FD8B7,SHA256=F01E1E801411387411AAF713C420529E2F497E06F413377E37B817A9BCA82A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:02.099{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4EC71E076773A2918C7324DD32923D52,SHA256=409CE727B4567ABD880584DB4AD348CD25CC14CDC61C011E63F5541D2953D0B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:01.424{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:03.285{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC7BBD3CC10502AF79C119F316B1BBF,SHA256=B11D257E750CBCD6D86C01AA2338DB6074B39DA8B0A602E5A68DCAE407EC413A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.988{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.979{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.969{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5F3BC755BCA5A013350003D5BEA56339,SHA256=24A4E17C17242845BBA960E310A9D3C08BAB0093DD6D10113D1459B58C5D6194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.934{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.916{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.905{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.890{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.875{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.819{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.813{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.359{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F04ECD84A1ACBD4AF47D9CC1EAFF61,SHA256=C2F9E25BA26BBD47FFB36DFE9C6EEA7AFA4054A92094011C748093335FD87322,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.310{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.310{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.310{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.310{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.286{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.286{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.286{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.285{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.284{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.284{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000291562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.158{30B46F62-485E-6352-1400-000000008B02}10441576C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.113{30B46F62-48CF-6352-9A00-000000008B02}48045936C:\Windows\Explorer.EXE{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+f1c4f|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+1665ec|C:\Windows\System32\SHELL32.dll+199ac0|C:\Windows\System32\SHELL32.dll+284693|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+166890|C:\Windows\System32\SHELL32.dll+163c6e|C:\Windows\System32\SHELL32.dll+e5211|C:\Windows\System32\SHELL32.dll+e80f6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000291555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.063{30B46F62-5BD3-6352-8A03-000000008B02}7052C:\Program Files\Notepad++\notepad++.exe8.45Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\qakbot_bin_xor\result.txt"C:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=160E49FA853DB78E6148E9DC566D96D1,SHA256=5D7C97C8C0FC601CD232BFEE97F51DF83C0DC6519AE42ECF0D765E69EB56E1C3,IMPHASH=106BC08A539BA691222AAF2F52A2FC20{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000200721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:04.878{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DE33D6ED1A3CA928A850D5DC1E05669C,SHA256=30D0D590A0A2E0C5E087B707D39009BCC22ED7DE4EE5134AA5A7A09A794B5463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:04.378{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176263D5F7577A44C10C0B893300C356,SHA256=12326C087C7FFB521EC67249EDA4BD60216BD4AE9602E83A738959492C21ABCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.489{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.482{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.461{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD7C407FB286CC2CE4ECBABE322B813,SHA256=57AFE82F3F2B05ADCA5AAC3BA6E083F46E92FCD9C5EEFB8D4174D57B305B6515,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.104{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.094{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.092{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.090{30B46F62-48CF-6352-9A00-000000008B02}48046704C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.089{30B46F62-48CF-6352-9A00-000000008B02}48046704C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.089{30B46F62-48CF-6352-9A00-000000008B02}48046704C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.079{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000291593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.073{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC8513904B1E26BBDFB8A934558742A,SHA256=ED1D762B1F00379AC9A67B031389B5E05D98AADFB0EA9436FA2C604E34F11488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.064{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.045{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.041{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.034{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.018{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:04.013{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:03.999{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:05.577{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9A87A54A29F53BBA442395DACDC226,SHA256=615E293582B6F724181000884B0762FB66EF76E165A4CD076EFDA4540AB4D2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:05.499{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A378C2E452AF1444AE787D663BCAE9A6,SHA256=20E5C642CFA673D0C7627242A1A1EDD784D4F9A2A2451F36E87ED2E6978411F6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000291614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000291613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004c18d5) 13241300x8000000000000000291612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0xe4b1ca05) 13241300x8000000000000000291611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e529-0x46763205) 13241300x8000000000000000291610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e531-0xa83a9a05) 13241300x8000000000000000291609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000291608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x004c18d5) 13241300x8000000000000000291607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e520-0xe4b1ca05) 13241300x8000000000000000291606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e529-0x46763205) 13241300x8000000000000000291605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:44:05.023{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e531-0xa83a9a05) 23542300x8000000000000000200723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:06.664{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE9E266F33DFA27A433FE94964DAF80,SHA256=BEFA2172EE5106CC397EB55EFA8CD753D8A735B4826591182D63C9C549A7C3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:06.580{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83ECFAB07AD90C344844FA19128D28D,SHA256=BD0CD2E3C85B206D4D185BD233871D65863ADB2A098551E832B364708BB86971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:06.523{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:06.522{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:06.520{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:07.756{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C2FCA784F297ACBE543C457CAA458E,SHA256=1CAE10918B54C3BE2BD6B5B16808F32DF02F26FF19ADAF10725CB11030F5514D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.749{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C225BF364A6AF3B7A832309CFACDF685,SHA256=F8162E9FEF9E5C6D36EFE7EDFB27C434E7F92AF41217512A2D3AEEAD69DCCC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:05.433{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57200-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.255{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.255{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.253{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.236{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.233{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.231{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.229{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.225{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.221{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.220{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.218{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.216{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.213{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.211{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.202{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.171{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.162{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.159{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.156{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.123{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.108{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.082{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.076{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.065{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.060{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.059{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.056{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.053{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.053{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000291620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:07.050{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000200726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:08.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43662435C431A862A83D021AE526B00,SHA256=9B4F87E6B16D1A17DC7A67ECD703B133A083390B4F0347B49F4981F29F3CB270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:08.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A40E377841736C3F4CD39D1D804C398,SHA256=4FEFDCF49A3044632822CE1865887B9CDB1FC33A70BAD20445676F20F8AFC34C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:06.429{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:09.968{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71473686C6F89778238972099481EC76,SHA256=E5DCC3AB11948B9B61C9D6684CA5C7004F9DA9ED08F6F7E740FB6F27E48153AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:09.766{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3DF0E99FB329D9301CF89D49DD27D0,SHA256=896B147827EC00D63B64C0B5E9FA913385DCCD7DA1E9890D75993D8708F0B7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:09.803{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-080MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:09.501{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=63836EDF866A72E2895CC058CECE7916,SHA256=2E607F2CA90D2CEB8DACEB0C2A8ABF0B48BEE40452B78EF170A77DC52064E2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:10.852{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FB9F77502BEB613C1698AF54389059,SHA256=70EDA04E1DBAC3568CB005360FDCDE2D16A945E08F8CEA626A3E98522F159EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:10.803{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:11.924{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39736C775D85293679FAD7D0D9892A4D,SHA256=5C9BDE9A865A246DCF16E6DBC2CADD8F36F14C685E444FB51F751FD1283799EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.953{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.951{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.815{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.795{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.768{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.760{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000200731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.758{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000200730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:11.047{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5D26E14AE89F1F3135569FC576328A,SHA256=8877626BEAEEE10BFDB77AE59BE3462B75F8E06889E5E8D4DC856D8B8CC54BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:12.568{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346EAA3901B3B76426A21E9BF74CB92D,SHA256=E6C447FF26467DE73A1AD703182D6E256A45330F8BA4B1ACAAF0A5877E80D668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:10.605{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:13.643{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C370E5C01D557BCEED5FAE3CD3222D,SHA256=9A5B5FE8EB2FC228DC29E555235B18B43AB49EC8768BA984FAA21568FDD1A4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:13.025{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9227B36BDE0C713254529223D07333,SHA256=ADB72811A1A227FC602DE97535A7360626E9F145D2C1CAE948A67A7EBA9ED655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:12.423{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:14.723{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1251374D18C7651231E1D03720B5BBC2,SHA256=64099D3468216863DDF627845E247A6026E002076753514D63D819BD66052920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:14.070{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD14FD2F331B7CA7FE1011518D05218,SHA256=D501EBA2E957D18749556A2B835D6F78552BF469FFC1B2F7F6CC7AD777383B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:14.370{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:15.804{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1590212AC2F02DB5FA9EC2EDCBA30B8E,SHA256=27E8E8783040AA97B44F063761A7CF10558102B5D8467473B679DB108B406CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:15.914{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4c4360.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:15.157{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B18CDB5E9B11F54389C4119EE8D23,SHA256=3AC9DEDD0630349F7E319EBD96F6C47A4D560B128C1F8280BA328FEDBDDF4B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:16.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0232A4369E3BF65CC736831379285FC4,SHA256=6F9AA15A7319739F77C0817D9DE5709C3A0E6120A60A93EB084FE4900FDB5301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:16.190{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D973FFF3F2C3613F5A669B32A8840B,SHA256=8F45A53F2F7BEF521D87159513E8268CB7D5F8B6F0F3A215DD5E0FC78EE8BA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:17.985{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C826CDF42A4DEFD467B10A082934175B,SHA256=6C7FBE0AB501D099B26315A4E0482D6DBB01E594845DC3AE98F23D4851E141B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:17.274{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00A6A403E90D13A7A16548541C46CD6,SHA256=374B288ED32A46B5976AE20FF1ECE3DD4C64E3F9B6C7EA5286B1F72EF1841362,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:16.612{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:18.311{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553302E81E1B3ECB47C8F957DACED1B4,SHA256=907D9F0F6D909AB950D2DDAECC33B6792068A4A8C44B9CA61A443A3BF2F2AB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:19.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B2FEFAF964109666E73FC18EBB20DD,SHA256=62A006C171FBC63E3D6C5E639083045229E15BCF6429EF9DE94CF275C9560A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:19.508{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5D4A3C375719010C72E832BB69A8C670,SHA256=0CFF24BEF8BFCF8F5982967ADC13A065160B1B3D984D7696CBF6C5CE834A4414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:19.074{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF942277636282C4FC82B44B1318D91A,SHA256=B799545BCBF481EA849F9BDDFA0A06883C5B0A46CBB37897A40A48E5F39059C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:20.463{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63527E2DDCC9F575B91512E15679B7F,SHA256=DA8D3BB009F32B8A0F849D3B090147E1D3DD2CB5D3D921A12428D626BF74E929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:18.432{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:20.169{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E5D6997F81CE6449D2B29108E9BD66,SHA256=B74AF69334413AE04763F5A88D58CD58AFA93A4D5F60991B788CC332E1CFBC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:21.767{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-080MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:21.512{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4123A7F8F05E32A68C2021DF463C7E4C,SHA256=F727D9784E82A0B2B3F227B0994E28DE38666B5C3FCD263667399ACD5881398F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:21.250{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB58329331FEDD5F57642EF1B2356BBE,SHA256=F88B7AB1D5E702EE46EDA4DB3571426999A43AA8E28CE3460EF8881034EF1E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:22.771{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-081MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:22.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5919EDAC4E88F325BD00ECE1E1BD3335,SHA256=97410DE7FDDE80847B197CA9BCBC25C5B56BD064E2CE9A163506F49B7FCC14C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:22.339{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A45E5EF10AF268A1E6444F6617A01D,SHA256=396E762941B5E9C14D21ABBD2BF3228A8F6A59454A8B852C8872DAE1577462B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:23.440{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE5702D49790E812E71A523BEFDE638,SHA256=C6F3EAC723FE799F0AE57FA0C5F620BA4784C9A6017A4A9F8E3063C9134CFC90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.990{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.977{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.966{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.954{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.942{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.842{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 10341000x8000000000000000291674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.833{30B46F62-486C-6352-2D00-000000008B02}27203968C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016FFE190) 23542300x8000000000000000291673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:23.601{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3438D561DAA129AA2FDC24AABB510325,SHA256=72413B1C13FEB4079BAE4B3A0B23784248D6C26A75E8374FC274A57AFEC7A573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:24.536{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CF0A6575A1CA1D3442F98E728A29F3,SHA256=CBD903C2E96B1666AD28A2AD89D061D4B943D50DA868997F63A5DB3D9D7B5E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:22.495{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57203-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.620{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000291698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0396D73C4A0D7F6B1D31B3FED8B5C8,SHA256=5B1ACB2C3DCA5C969A0D2CBF4B47A2CF0C99C2A1464844F851F67469AE63F53D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.617{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.149{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.144{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.138{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.129{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.127{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.113{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.099{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.096{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.094{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.090{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.083{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.077{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.064{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.047{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.035{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:24.026{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000200779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:25.624{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DF6001D2DCC7457EE6A99C5B564279,SHA256=B1F6BCC07CD3B94DB125292038190A54B0335905DAC99ABC3A4A7A4CC5D79D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:25.647{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9D9C480B3D002CA210942FFE9DB6C1,SHA256=AA0FEDBCB6F45153992E621F4E164A1C4A8EB69A5902A5ECD3B6A99D149AA053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:26.721{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532D520DBB29C86929A2B8E3E9EE81E4,SHA256=B55EF369C1A84ECAB058B670D4C2D9FC155E8C71A5388AE75B80AEAF19EB43EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.728{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D45E3F25DB66451450C7BB8B6725FE,SHA256=34C23E92A08456E4340B976C889B624FF46DEEB324B665141D0F144C7FABE992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.632{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.632{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.628{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.313{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.313{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.313{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:26.297{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:27.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2F0DCDCC03C4C0A43FF4842819C2D5,SHA256=80D913E2DC49BAE302C1EEAF9AA49D06B193A4A1D5E1D43619E389A913DB9625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.849{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E10B69E595AFC577442BD2E73E6A7E,SHA256=8C1C2E1F92ACAE3339A274F5E1F136D8D9CD26BF8741E3A5DFECD8BE140C6CC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.710{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000291743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.710{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.710{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4c7175.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.349{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.349{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.342{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.329{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.326{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.324{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.320{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.316{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.312{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.310{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.309{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.306{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.304{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.303{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.301{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.294{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.273{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.266{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.265{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.262{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.247{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.240{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.209{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.201{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.180{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.174{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.172{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.163{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.158{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.156{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.152{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000291710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:27.151{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000200783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:28.901{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D68F6362120C589FFF08DF1731FC9F3,SHA256=EDA50A3C62808EF61DA31F9D80661DCAD0A986AE52F04118C5A4AB10A06ADEE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:28.928{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911DF163CA1D024ECC95908A1870FC22,SHA256=5DEF14EF175CB1A6048AAB633F4A656726010035462B054CBEEE95108B64C19E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:24.363{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.932{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88355426F4E36F7B76A7C222DFC162F0,SHA256=3AD3A060D86FF6E3DF592A5E8D8406F70349109AD108481A6DDB3FE9B3C21501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:29.982{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECB990ABC150202C0DA2E22084057B1,SHA256=9517D4F6578A8751AD77551CC7521AD8ED0DE950DCCDA9B02850686C6639B082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:29.873{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.613{30B46F62-5BED-6352-8B03-000000008B02}21204888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BED-6352-8B03-000000008B02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5BED-6352-8B03-000000008B02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.412{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BED-6352-8B03-000000008B02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.413{30B46F62-5BED-6352-8B03-000000008B02}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BEE-6352-8D03-000000008B02}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BEE-6352-8D03-000000008B02}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.683{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BEE-6352-8D03-000000008B02}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.684{30B46F62-5BEE-6352-8D03-000000008B02}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.532{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B3DAC3257B90248045FD918D96214C6,SHA256=8D9EC7B569636414B169A79F0F5731830C08D988B9523BF2B5893C00CE0E1E1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BEE-6352-8C03-000000008B02}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5BEE-6352-8C03-000000008B02}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.054{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BEE-6352-8C03-000000008B02}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:30.055{30B46F62-5BEE-6352-8C03-000000008B02}7648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.998{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B046AC2FBBBF7274C158B192F6BA02DB,SHA256=DF0C85982FB392875447A5A6705D8AB3A4BE12352B4134267F7E1C38E872BEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.998{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.912{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.891{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.888{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.886{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.878{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.864{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.843{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.807{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.801{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.790{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.777{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.764{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.758{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000200788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.755{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000200787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:31.086{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F019D6BCB54236D2356298B9633F283,SHA256=99FDC16973ED97E7F8C2F9C97C0887BDAD6C89D9BAF1CA4FD5C993744AAFA5E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:29.168{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000291778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:31.235{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8AFE10D91370CF8348A0D5B191553D66,SHA256=222F6C8E4418D833F90313FA29D15B14D41882F996DA1A69F388FF82F152A1A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:28.434{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57204-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:31.040{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F579F25D9024D429CCDAA102BBB72176,SHA256=B0016715C7969A980B1F2D8FD0EBDE1E7FCE4D8434CAB36ADF49CDDCFF88E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:32.239{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179B0999CF3DBCFBA4E4B57421057F63,SHA256=882321A25A203DF5B44D03060C2DBEFF76B6F1BE9D64985CA0B577F0B30A0AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:29.336{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57205-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000291779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:32.118{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A863C65D842CE14B29C40E79E4534D,SHA256=9CF02B1F0FE73822342ADC3312CC27824CFDF7B206BA0E86CC17B6969494E7A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:29.480{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.544{30B46F62-5BF1-6352-8E03-000000008B02}62481988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BF1-6352-8E03-000000008B02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5BF1-6352-8E03-000000008B02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.319{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BF1-6352-8E03-000000008B02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.320{30B46F62-5BF1-6352-8E03-000000008B02}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:33.259{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B85747E8B6D29BD63E785E2C548FE9,SHA256=19B8156924F68CF9512C6319D4CA3BE8958AA7DC1CD5F7D2818AA2A38E1D5674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:33.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4F3DED82ECE6E77E6084039A0E8B4,SHA256=872AA1444A4FDC9A3C825D3A6070E16ECD8AFFF5B1FC2D168175240AB5D3AEBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.765{30B46F62-5BF2-6352-8F03-000000008B02}73847652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BF2-6352-8F03-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5BF2-6352-8F03-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.523{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BF2-6352-8F03-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.524{30B46F62-5BF2-6352-8F03-000000008B02}7384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.363{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2B363DF4577EE1E121B168BCD7D69B,SHA256=F72F873895A17BFEC759730434DEFDE3406CCD28B944346AF37EBF51EA37FABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:34.436{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D884492D9D51F119B57B5CAA9D714D79,SHA256=C8D4CC35B3F68945F7F46020B6B47F495861E3C6078200E113F023105690FC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:31.741{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57206-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000291791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:31.741{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57206-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000291821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.868{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BF3-6352-9103-000000008B02}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.867{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.867{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.866{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.866{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.866{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5BF3-6352-9103-000000008B02}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.866{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BF3-6352-9103-000000008B02}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.865{30B46F62-5BF3-6352-9103-000000008B02}7768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000291813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.592{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09CDA6DF1123FCC9F87A57172CCD0F74,SHA256=50073E6B5D8C5A3E09E9E65CBCF0474F102D4EFE88B4AD688EB1C21C265C49A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.464{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75CF9CB71AE5DF6486122FB88BC395F,SHA256=D3ED56185EB2B68E2C6C86FBF94944EE8EF49B3999DD35BF15BD2573B24EEA0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.392{30B46F62-5BF3-6352-9003-000000008B02}63367704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000200821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:35.525{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2112BC93E9570D2F27C74C7342B8580F,SHA256=C1941783DA8F82099E2377B352238BD1A8822D722ACA690BA0C3033317432F03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5BF3-6352-9003-000000008B02}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000291805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5BF3-6352-9003-000000008B02}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000291804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.192{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5BF3-6352-9003-000000008B02}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000291803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:35.193{30B46F62-5BF3-6352-9003-000000008B02}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:36.621{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EC6BDB0F7FC03C1138304C32087986,SHA256=CD7A48180ED647154AE9A55283E21E1D4AB4F038B3938D1FD4C76CEA4BDED5D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:36.477{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551651C67F0099D46D357A7753987594,SHA256=2EEC87E897D242E3ECD21F49AD7948C1C0A501A1FAFF34462052FA3ED81312C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:37.712{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A92B622A29088A202DC33D2571FF2C,SHA256=30AB7C2CEAF4E19317DDB3E3A98C350C435C54360C6BB70DCD9190109A62C58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:37.493{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6564FAB40CC1CC185B7F881DC091667C,SHA256=0DD6CB855BF5411E56818EF1C46BF6C19339C918601140D51BF9CB7FA370F453,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:35.386{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000291823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:34.446{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57207-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:38.909{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA9587CB0A3599E95CBF52D5B1A29AE,SHA256=CAA2D7D6145EA3A0C7AE103E9ACA60B3F62C6FEB4B35F6C430BE34FB74562EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:38.642{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F728E03BA0B3C9ECA918470BFF5CBE0F,SHA256=62F7A620970260A3B19FCFFC0522521F575FA2732D0B5CF8B10D71C882A0ED3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:39.666{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31625F7F587FB0534D7D291C329E57A,SHA256=28582414FE26BEC0D8BD44073F0C23CCF12C15D48CA11B7A9CBEF407DF90E646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:40.766{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BC36C1247D2B68AF06CF53C91A9103,SHA256=A561A6D5BE4B3D8789BF27ED0498A882D0037F717FA9DB9C25713E276FD79712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:40.016{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FA2158AC5500C2F15ED4CB398D309C,SHA256=6EB9318023404F532AD49A1047BAFBF20853F126D082DA778F0B11F067797E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:41.778{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB82846BD1AAFC27EA1057CBBF12C31,SHA256=3FF680F11B9264453425D3311D6F7186D86C819D4B47007E402E5CC9E32C303C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:41.103{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB33C0BCD3E25D510823AE62E366D938,SHA256=969698A6602ECE060F71B1E6F7DAE5FC0C494AB3DAF5A3FA8F06B376FFCD90D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:42.810{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFEA16A02F84542D931F6D250D1FF92,SHA256=1855F56D6E15571B8FEBA6D06C109B8023B9C0013A5F232C22BF9AA016AEC02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:42.189{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB22C565A00D1C167890EC6B14F6B7E,SHA256=79446972A06DCA8EEEA4A1A60AB2587F8BB02AB8C30948263957BE606B5069AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:39.499{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.992{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.977{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.969{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.957{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.947{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.917{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.905{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000291836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.899{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5E41DE0A6CEC337748307A238590B1,SHA256=0EA442140B13B838EEB7195344C59930DD6441CD6E66C3D7F8BD66AC4F994C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.895{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.883{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.871{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.813{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 354300x8000000000000000200830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:40.521{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:43.254{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98879D661827BDF76FFD0A6037F48EEE,SHA256=A3EF5F10AD3C4FA2C9D229DF87CA2FEEADDEBE1E4C28ADCC450E81388647CF45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:43.810{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000291857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.868{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CB10907629CDF211BFD129F081A968,SHA256=68B19377CF4D4912E0EB775A109C7775FC239351D488C74455745B152EAD2E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:44.355{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2551133D64F8699361479917780122,SHA256=4B3B7125AB0C72CEE51704A8673245CB99B946EFD1F2C492EB61AD80E08B5610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.427{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.424{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.056{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.051{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.048{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.039{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.031{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.022{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.012{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.011{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.009{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.007{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.000{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000200846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.730{EFF5EEA8-5BFD-6352-DB02-000000008C02}16161084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BFD-6352-DB02-000000008C02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BFD-6352-DB02-000000008C02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.527{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BFD-6352-DB02-000000008C02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.528{EFF5EEA8-5BFD-6352-DB02-000000008C02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:45.449{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DDA6A389F9FD01005E802CB1FFBA35,SHA256=C28352FB847E2B8364EF07673C0DD084E417CE1A5C4CF52FF9C53718C65A0A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.842{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17168443A318A6013702F5AD54FA5910,SHA256=5CF5102FE0C0725A0DCDE469ED3F9225BB8367344ADB86952AF99EFCED55F3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.842{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D010F5EA4ABDC51CE62A7C9067A9F13,SHA256=4F6386D95C0389DD093BC36AC323EBB030F6DA2C589FC846BF735E342C315BA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BFE-6352-DD02-000000008C02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5BFE-6352-DD02-000000008C02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BFE-6352-DD02-000000008C02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.702{EFF5EEA8-5BFE-6352-DD02-000000008C02}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.535{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CFBE3E46FD62C001E6AB9CF86CACC521,SHA256=12908EF05DC1B716572155DFCE3EE266A09F09C4085A777A740F09C83CFECA30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:46.500{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:46.499{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:46.497{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000291858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:46.006{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2B4AD6D47121B772713353221EF037,SHA256=9EC5A906D0DFF7D62410160351C7255249472D9021A5C3FFB1090FC256D9D9EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.185{EFF5EEA8-5BFE-6352-DC02-000000008C02}3036800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BFE-6352-DC02-000000008C02}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5BFE-6352-DC02-000000008C02}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.027{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BFE-6352-DC02-000000008C02}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.028{EFF5EEA8-5BFE-6352-DC02-000000008C02}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BFF-6352-DF02-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5BFF-6352-DF02-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BFF-6352-DF02-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.977{EFF5EEA8-5BFF-6352-DF02-000000008C02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.974{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138B0A14B449BD5DF0F7C799C06E15F3,SHA256=5A0432A70AE46DEAE803FCE15B56DC090D516858EBE36B8BDBA6EFA53262875C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:44.501{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000291893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.210{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.210{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.208{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.191{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.189{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.187{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.185{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.179{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.172{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.168{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.167{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.164{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.161{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.159{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.151{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.129{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.120{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.118{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.113{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.087{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000291873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.086{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A1C6FEA9A14669F8F5BEA1BE2A564A,SHA256=E23554BA527B973CD251B890843874B953C10AB938C5C46BD0586DD2535C1581,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.077{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.043{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.034{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.019{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.014{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.013{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.010{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.007{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000200889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5BFF-6352-DE02-000000008C02}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5BFF-6352-DE02-000000008C02}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5BFF-6352-DE02-000000008C02}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:47.380{EFF5EEA8-5BFF-6352-DE02-000000008C02}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000291864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.007{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.004{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000291862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:47.003{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000200925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.835{EFF5EEA8-5C00-6352-E002-000000008C02}40483304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.812{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.812{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000200919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.810{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 354300x8000000000000000200918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:46.518{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000200917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.643{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.644{EFF5EEA8-5C00-6352-E002-000000008C02}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000200904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:48.146{EFF5EEA8-5BFF-6352-DF02-000000008C02}23762004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000291895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:48.169{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5253A381F2285776FDF61FFC62E6A979,SHA256=7BC7187ED4ED46EA02917A915E0BB698D67347DAEDD0B0652BD9F17B4C83DA1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.797{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4E1EEA66D1AABED70ADB03597C573A3,SHA256=5F3D640284C381A9AEB30C11E36E9E13385BCC6998469281D610B8C3A297CEEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C01-6352-E102-000000008C02}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5C01-6352-E102-000000008C02}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000200930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000200928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C01-6352-E102-000000008C02}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000200927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.179{EFF5EEA8-5C01-6352-E102-000000008C02}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000200926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:49.177{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DB1AF0E14A1D99FBBEBAEAD939471D,SHA256=D59C19E97AEC0F74A19F5029AD69225760B2AF6C117C89E29D9BC7D98B455EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:49.198{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B0729106D7D5A9F6965DFFBED7887E,SHA256=1B4360A324217D3DD715ED3FB86E6D2F1B51D4090F0687E5B679C5E3EE0B4A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:50.259{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5419EE1B601841D6F2D22DFD62E0CA0,SHA256=6531DAE029EAF5536B89AA65E14BBC8B146E4F24D3617E8806AEEA7851123593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:50.598{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=CEF941F94F97FFEC188B0E566D176998,SHA256=4CFDE38E2591426E08858DCFCBE9D68E307C5BC2A1D865979FCF1279C242D270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:50.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C313A16EAC69038AAA91965F9BC558A5,SHA256=6D89AEB7DA15B3B0E7C3570D7E55DF152B430AB926ACF036B582C9B39988DC00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000200971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.962{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.943{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.927{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.872{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.845{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.818{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.796{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.782{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.767{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.759{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000200943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000200942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:51.342{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E35D037D0AD22BB8C2BD95F22C0ACCA,SHA256=9387B3C8AED6BE1892337735D38996240D04D7275D750CE480B629CD0B2CBFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:51.329{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95F834EB0598865E329A7774A4C7B5C,SHA256=2BFCBB97CA6CFB64AB362E3C3CD06ABB462C18535D4794F663DCE6ADDDB872FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:52.558{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F579FB2A30B35A43D0087D1687222BFA,SHA256=F1A1C3B66BA751C671FCE1595417BF33C242AC03651A03E7B1C99678EB072021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:52.348{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7746EFF03EB20DD27AC9641D9F9AC571,SHA256=D1FC5E97798046E160B77070EF4EA1D6ED8C90EAC89D0C1CCFEA4162AD1CCE7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:50.481{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57210-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:53.722{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679F10A44F4B9F4E6B4EDD445B928AA9,SHA256=F811AAE704C7BFB206BB6B81368962723906DE2DB1207D600ABF7DD1519A1F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:53.501{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700F3562DFA5D6125EFB0F8CF809A91F,SHA256=20A8A161F92C1FA762ACF5A15928ED29642CD3101744CB06EAB480DE70D210B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:52.523{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:54.807{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9540A8CCD5AF479297B3D0D23F73FA71,SHA256=D346986A3ACB0B85808CB1D53FE05319420AD0DEBC07F6F84A2417D490F9C20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:54.617{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584BFEA218F96F8B1AEC5DF1302C9959,SHA256=AFC8CF4C404A0B7DE6C7EF0C0DE3B74E82DF655E0F289EC7225E56271260E4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:55.891{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFFE37B03BDEEB73E2ED39138A7B7B1,SHA256=AA0FDCC1C1729C8E56A79A076138E5358F29C11519E66756E45608319C5D5CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:55.633{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CEFB2AF70D9317ED85A606CCA98128,SHA256=F2D72BDF92B4B13FA72E0AE90219AAB28928A4F67885E91822C4B0DC28D3F394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:56.976{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F15B646CE5D54BECD2E036313C1178C,SHA256=0C1A08F77C449362C316D71BE076A82E63DC89F5B731F5766F6FE7CDBADBFBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:56.774{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED566AEEFA042504912796B9F2EE731,SHA256=1DCC2A4184DD9675A85D8EF2E40051A91670C367B23559B19E12409B314144CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:57.818{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3360EAEE2894135A99A6F12D91E675,SHA256=39513006BFDA5B7D2FABE3751CBE615C3DDC212F44039789E4231C99E442E874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:58.852{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0905182448AB73F87A54A3B14F0402,SHA256=F1FDC5CB91B6349BAE058D5EA6A8CE74297BA96BAFA668943CF6DC993EB3427E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:58.058{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F0F3829A4A90DF59F246260611FD51,SHA256=B1FF07ED914C2852820326A00848E7E96174EDEC1C4888EA6117097D93A598BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:58.602{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=FADC0CC28D7EC950B25FC38C083CD6BC,SHA256=D134A2D4664E059D997616FD24C06A0BC386CE2C6EBF28053846020A292CD58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:59.244{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF57EB630DA4E1781F6CFFBF0F710429,SHA256=ABBBCC8772383EA987AF386F24214DCDDA08531FF83D9E7543E5EED6770290DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:44:56.458{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57211-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:00.346{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0C73AD53961DDCDDF7DEC3522DE70A,SHA256=3D6F090A6D6F9190FCE80B14A292B09F012E882236957653721AE3D9729ACC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:00.003{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3EE1DBD1B48082CE25193462092E3F,SHA256=BE2AB8DB2C7992977B43094AD63FB74D1B84AF2BA453DC650CC8DE7A7A18DFE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:44:57.554{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:01.427{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FF2C8FAACE231CAEB21BDBA5DA6438,SHA256=332D9094CC46A9A1DCC7D63412F0A3450A5B2B5D538E80E89BB2613D19E96F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:01.376{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4C38979883FFA922F6B28958C97996CC,SHA256=3A0DF2E7F0A382E92F4D52EEDF072E96689809CA7251F6009D3CCEA48D6A0968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:01.120{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC05C3DFF57E7DB0DB9DD1FFE2261910,SHA256=DC44F097B63106660531C5F8653CB60164AD70703CB165B13EF68300308C9635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:02.519{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B2CD0CE3FD2FADF455B33F3513A695,SHA256=3ECBA0100FBD8EC02CF4EE906F4F630BEA116D8B4B771C0153F3664D984C239F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:02.253{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1DA06CBC5337BF53BBB274E2438115,SHA256=599680009B2DB8DC3B893A360783399406ECE05AB67B92D5719A6DD22F812677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:03.616{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA067B8F5006FFB21E581C9872051195,SHA256=90282CC96EB210A7E85EA4FFB5F907044A0100448A78469EB871FD18B0ED0EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.993{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.980{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.968{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000291922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DB4AEF7ABDE021567CFB067AD9FACB85,SHA256=4454259FB30084E264EE4D6875AA56BDE18F2188871D3301EC8F8ACAAE1DA33F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.933{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.922{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.912{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.901{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.889{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.822{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.819{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000291914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:03.355{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A28ECBA6C81CAB119B80884183B41C6,SHA256=FCA2C3971D3CD8DEB41394127D1CE2724DD5BC99B87130E306100FC5EAD633FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:04.887{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A1EB9FCFFFAD104B1D3873C6824FC873,SHA256=B7EE53DD01348E9DAD1C16FC545F4CE70E2F53B0FAF99D214ECF8697145E35DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:04.699{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8390AC9758D181DC02733CBA790070,SHA256=41EB7137D24E1E7F6B0874CAD5001E3307EBCC125B7FA90A5F71946C69B7C7F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.552{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.546{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000291940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:02.460{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57212-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.421{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06960BCFE34AF31082CC0A0983600F5E,SHA256=B0B1258F80CF47FA31251D61F8F71A13689340FC23BDDBBD572D50281864BFC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.091{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.086{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.082{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.072{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.071{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.056{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.049{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.046{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.043{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.041{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.030{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.025{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:04.008{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000200988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:05.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7746BDC46D90B0790C44D65AE824E8,SHA256=0B7F524F160CAA7A7EF7AB7032701CA8B245A0D9004E5E91B80105A37E20399A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:05.521{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18D72687F8ABE50266A5808EECB8617,SHA256=58A48D3D98B9F5BA11749AB5F69F9B1E15281FFD57AC65C58391CC03C2315A6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:03.364{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:06.881{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA6F51CBB0D2FAD0CC849A028E9CA79,SHA256=653ED4F37EC99811E1B4C6A3E774CD7AA95CDAC7771CCBAA1329CF1BB58CD7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:06.618{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1A572F577197025249910D385247D1,SHA256=E5A5A10E26007A7319C7D578E56F13C35E9038B8903E0E97A64DAF9593246B73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:06.584{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:06.583{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:06.582{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000200990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:07.977{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D502D7645015C6C983C170208290F80,SHA256=07BDD02873A50E334DBB47F5381C6F4D992DC2E756B142CCB03271DB426C2590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000291978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.313{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.312{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.311{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.296{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.294{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.291{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.289{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.286{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.281{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.280{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.279{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.277{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.274{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.272{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.265{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.243{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.228{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.224{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.220{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.199{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.185{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.150{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.138{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.130{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.122{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.121{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.117{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.114{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.113{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.111{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000291948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.110{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000291980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:08.695{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=A997DCD70ACAAE3A2C6506054C0886D4,SHA256=6DF262CE0A15037F740DA2B3ED0D8E459E300C76120006C05A6FB8BF80C4794C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:08.127{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7443B6ADD76719AFB925542872252F26,SHA256=8234F422EEC89A12F0B9C8CD86F3641755608EDDC9F1DD720D78A06FF2E0FB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:09.069{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B02FD3F8D1C3807E9C28C056CDFFE22,SHA256=5068ED2242C67706D7B07014B989EBAC00C01926AF767DFA42D38D09ECF5C9CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:07.466{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57213-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:09.226{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCB8B6126B14EB133F69E98BFB3D04D,SHA256=97DD31726C84953DB974475AFA6AD7F8581D1BA75F59D3D0582E2EAC760704DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000200993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:08.411{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000200992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:10.162{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F3964DD3C1D680CADA327F292C5DFD,SHA256=6385A47DA0B7B6B6ED0609ECFE6F984FB53158180B1B2340A11139BCA9891D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:10.260{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F98FF274D8602733BEDA1CF4CE0586,SHA256=D89FF490EE3E5B2ADBBA3FE0E1CB7E8B194ED001581942C231B27B96E1FB7F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.869{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.859{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.846{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.839{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.803{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.797{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.788{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000200999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.781{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000200998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.772{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000200997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.765{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000200996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.762{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000200995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.321{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-081MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000200994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:11.239{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D518293F0A6461ABAA194AF1EB40F91,SHA256=C1A62776EBACB2CF0BDA264159D67410D72E52F5FD9A3BE5059F74591970D4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:11.310{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CDFFC736C5CAFC1DE6F18713528608,SHA256=2514B976F6F44CCEC71FE4165F1C742CC6D40D5335FB9528802DEF5B341FC1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:12.754{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECD33DC73047B4A971C7DD600821B3E,SHA256=8D19606ACAE5002513B1CBA35CE1FD85F2C4FA389C9A30D310535A2612FF3040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:12.332{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:12.326{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFEB8CDB9DA983F7FD9311A0DC595B0,SHA256=3D46275FD72B8D118D9CD2D31656492A7816A0B652694699B1E1CD9C18009BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:13.534{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF78D4F083A20B04378E706DE6E682E,SHA256=5F3E4B6852FEA558A14768F6A6D162E6E33959112F9EA0D226F0033589706B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:13.428{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94B988F7EDB94E598A2122CEE465A6A,SHA256=18A93899BC1A7CC52DC6A6371186560872E8BE6F24908FE33D316773D739CF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:14.602{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B5B0F6DF5A6E45A71FBE0481171E48,SHA256=423B4EE8F12D0A9A44A842D34780BB68047D68D406D799CA7EBFFBC31824A3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:14.557{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05877CF7578CA636D9FCADA08FC854D7,SHA256=9CEB2E1790B9D9357B877ED550AB7871E6187E7B3059445404C62972C68FF2D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:14.355{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:13.567{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:15.681{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236A3A20911C626BC545DF04F2D4A735,SHA256=45D7D9CC7198FCDD1FD35A65FD147E04A0393A23B09325863204BC0DB2263DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:15.661{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E4604EA0FD8EFC59CBDFC46E7FC205,SHA256=CAD13739DA1DB925A96DADE6658DE033207D2A418BF1E0F4F93715750FA2176A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:13.418{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57214-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000291990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:16.785{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9DD3A5798580E54FDB52E260D76B42,SHA256=90D6087BEF4CBC2F7ABBAAD211C8CA37829B24FD24E13C10A72699FBE9B1CE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:16.772{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24577B46111E73E8B13703CC14B68F70,SHA256=ED90699B8860AA51B8C4AF4E31320F4857FA8E48182C7BA91A2945A8D8156084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:17.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9753903F2BEA23BEBDCA36D4B0275D,SHA256=096BEA78653414CCF23D7E891824945CDBF62C322850EBE5686F75048D64298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:17.828{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB7239EDE3383652F78EF850F29E2F3,SHA256=0DD4828C98B32221AC03CEB7755AE07810237F0B52410F00DC2FC8839D4F57C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:18.950{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26A55A0015D043867870E162E517F4,SHA256=6FF669B2C9299FF4E0FB7F7ECD7C9AAEDB01B875C92E9945490CBBD82E4C4C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:18.885{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C3E10126D10B92A583ECD4DE9BB3DB,SHA256=8AC825F33C12A0B9818F464FF5BDE7785849D358E009737B2B983EB29FE5C209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:18.728{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=F54AC4481100065F7532CA02E6D6F2BB,SHA256=C62568923008B45AB3EFF53B2554763010B2C59C4372E6BD785DD81B474EDF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:19.915{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A0312E5A4DE7C6A3290B16621EE3BF,SHA256=5EE593D9346E1853583A95DE4EF2E3C94F1163A626D3EF5B3007AFCE514BF047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:19.934{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C9EE0A1E3D2713CD3406277313EE9746,SHA256=4F1855AD110B1C7CED8B77C97C9A03A30B4A608A040237D0D52B68AB2A554293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000291996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:20.931{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48664CF956B11384F70384173FAA2556,SHA256=DABFC93A7C9EBE37353F24CBBF53ED2E1E86FEE0763FE20083A6B7C51943A5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:20.027{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EE3688AE182FEFC1355BCAA6816050,SHA256=0FCAAAA4EE175BFA8CE844E6B06A390995B1E42DD6132F30CF614DC2F274BFC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:18.600{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57215-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000201038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:19.556{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:21.126{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F7ECCBFB736B50F1AB2A9D33ADB988,SHA256=0DC014C485E1AD533989153B55938288E91DAC72767BF4272EE04660301F8364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:22.223{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D09E09993A6B62699BFEC9B44FED4C,SHA256=042A71F3DCB86585D245D44323AB990B929CCC47883D69FA4BD34C590B9F4BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000291999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:20.448{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local54475- 354300x8000000000000000291998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:20.447{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50786- 23542300x8000000000000000291997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:22.016{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F7FEFA22BC21CD932385D146401201,SHA256=AD80C8AB6D420CC2096027BC8FE69AEBD4F2AA5FE3ED5F1D3140F8B0F012AF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:23.329{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64ABDD87872CD4EB3C36728EB91C2C5,SHA256=718E5EA7D2C9F847BF7FE2F896F60F315B00C83F6E5DDBED332C129D2211E0BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.998{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.996{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.989{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.984{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.971{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.962{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.952{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.944{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.912{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.891{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.879{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.869{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.861{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.824{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.821{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.293{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-081MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:23.033{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FC59CCF1E8AAAC8F7379584D3D1E8D,SHA256=DFD13638417A87BE44991E3298705CD62F941068A1652A160A425A6C656B5A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:24.416{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAE3EC91C5CDD4D6625324F94DAC698,SHA256=2E9F898AAE0D6FB7C13ED59156EC57F73EF3F1096B37DF7F9E44170554646447,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.446{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.443{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000292026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.292{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-082MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.103{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190171B8122BFABE65F7F0898D29A102,SHA256=CB1EB4391BBFD313D0DF5924AFEC05009B3F0C0B33336BED64F696CE243D6B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.035{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.028{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.025{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.019{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.016{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.009{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.002{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.000{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000201042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:25.493{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06402F61614B176A98BE46822E07C5D9,SHA256=D149D422C30BB0E1F93493F254FBEC063C668B85626B1C0B9B89F7E102082297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:25.170{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D235D16AA64588D1642CF0D10B6F2DA4,SHA256=C02A6068C6C6B8E971757827BBAF8A10DFB74EA1EEA112AE5F55CC669C5E0D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:26.573{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB41A05463468F61B1333C7465E29D1D,SHA256=40490F825207FEC70091D579A387ADAC131B02CCD43EACDDB988DBD50A034874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:24.365{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57216-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:26.507{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:26.506{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:26.504{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:26.293{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:26.275{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3A7103D095FA4D0A1F673F42E68A12,SHA256=8F1B38CDAE63E8393BF1B975A442ADFD39CA730A718ED25616A579EC29231A53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:25.401{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:27.669{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AB670518C0EA9118D7935AD586E0D5,SHA256=E08A8FF577F2136BF8B55AEB852B09AA005E1D818164EA5C5DB59693E66AF589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.392{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF7A60FFD5E6CAFE4FF93AB900D73B2,SHA256=7659B5436577CE0BB99A99663B849FA1E23A663D84C8EE9A6334204AF1C252D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.234{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.233{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.231{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.211{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.209{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.206{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.204{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.201{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.197{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.196{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.195{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.192{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.189{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.187{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.179{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.148{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.140{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.136{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.133{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.109{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.094{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.052{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.047{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.038{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.032{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.030{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.027{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.025{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.024{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.022{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:27.021{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000201046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:28.758{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B83134369F85ECE7947361EA09E84AD,SHA256=F1A3ADA1249BEB6C5A49A9780CAF9AB6FC4CDD5F706D9D5A58FD339F1FAC4C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:28.420{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DBE410169DC29C8CD000D374D5424D,SHA256=04F90126CE793C86A938FE3C088F6308EA66CEDC1A0930E78A770F8050E3E10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:29.907{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:29.836{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BFDB5C775C0CBC08696D8E30CCB1C2,SHA256=9F5A68EC41C17C010A9B8D9EEE34CC9A53CB079EF02108CE0713C2BBB2E235A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5C29-6352-9303-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C29-6352-9303-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.993{30B46F62-5C29-6352-9303-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.920{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70C3C009A35B1B6308EB351B353F5900,SHA256=AD54DCA44034703D61FE0FF6DBD0FC5D2667222ABB73F642D5935B5429011687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.635{30B46F62-5C29-6352-9203-000000008B02}57007308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.535{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16633C6B2FAF15689D839CA1EC18A2FE,SHA256=22B3D440638FA70C65CDBD74A824B9E6021537A40427D239B9802599D57F996C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C29-6352-9203-000000008B02}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5C29-6352-9203-000000008B02}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.404{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C29-6352-9203-000000008B02}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.405{30B46F62-5C29-6352-9203-000000008B02}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:30.923{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236265516E1226E88CE8617FA08D94AE,SHA256=757C15D32E91995D552EB18CE8A5745C1B61031B4D035D097DC329C92B4FA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.651{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB695D001555935824E8D6A2F3A359BF,SHA256=519971B8926A17573113787F3C266250C9EC9ACF53540D9F7C436D461A7407A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C2A-6352-9403-000000008B02}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5C2A-6352-9403-000000008B02}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.620{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C2A-6352-9403-000000008B02}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.621{30B46F62-5C2A-6352-9403-000000008B02}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.436{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF7D03515C14A6016B8FB1610E3276F,SHA256=40896D22DB3D778A7B439CE06E19397B3F611D89A8A7525E240C89594C972C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:30.038{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.992{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C29-6352-9303-000000008B02}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.933{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.930{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 23542300x8000000000000000292101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:31.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C45EC0665295983311AA9B93E6DF4E,SHA256=E55DE8C570C8B14B10AF48F59B553E9D95EB55212B80C2CFF54D08D0EB0F7D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.377{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57217-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000201070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.810{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.804{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.796{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.783{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 10341000x8000000000000000201051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.769{EFF5EEA8-4860-6352-1F00-000000008C02}12002812C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E02190) 354300x8000000000000000201050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:29.191{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000292099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:31.494{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A99F028C295E6C04DBAEDDFBE785C492,SHA256=FBE3B05311557B360825BEDCC85A56B8E496642A3C264A816655F0AF8DE1F429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:32.996{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D13354C3A0B6632752DE0482D631582,SHA256=15728DB0E178FA782CCF120EBE108582FBAE14C971A3FE4D2BEEE0D4797D6E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:32.771{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CC82C2677FACB40A9DCD3FF847C4AB,SHA256=A895BEBF12D7B10CC1573CF20FC1A1A38C0FBCF62A2B6D3D836D741C548CF0B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:29.484{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57218-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:32.006{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAEB72B029542BA5573A8F9CEF349FB,SHA256=478BD18CF9363616F080593623D08A4F93358D0A2DA4C87F9E6763647AD11DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.776{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43886422AB1DC2C6BD4206C50EBA1637,SHA256=70C7A354A5E615FCF651F6A058659244EA5A95A1DB02119451093431E033D539,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:31.751{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57219-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:31.751{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57219-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000201082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:31.375{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.506{30B46F62-5C2D-6352-9503-000000008B02}41004636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C2D-6352-9503-000000008B02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5C2D-6352-9503-000000008B02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.322{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C2D-6352-9503-000000008B02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:33.323{30B46F62-5C2D-6352-9503-000000008B02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.809{30B46F62-5C2E-6352-9603-000000008B02}43367792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.807{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB8AAC16E838FEF7C04515B8C5E9860,SHA256=F61D8088EE0440AF2CD333455D3B70E5855F3213D4CBDB07E144A3DBD45B4FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.796{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.796{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.796{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.795{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.795{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.795{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000201083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:34.087{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6850E8DF4713C4ADCDCDB8271F84A18E,SHA256=8C40EB956EE7883C4B712022C104E4CEDEDD8939E04E06BCEF75A190098C3B7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.537{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:34.538{30B46F62-5C2E-6352-9603-000000008B02}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.920{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380AA7E9B715BD20DF0549647FE29A9C,SHA256=2636645ACE836604E1D571C84850668D3B739F64EF48B22B1CB51820EF5ABAE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.885{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.885{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.885{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.884{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.884{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.884{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000201084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:35.169{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA9381A79F94837CADFA0F9FD20EA36,SHA256=001A24C60C5DA5E22BAF0593F27C4D84FE3EC9F07C8DC708DC4A1CFBF1769A5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.714{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.712{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.712{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.711{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.711{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.711{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.711{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.710{30B46F62-5C2F-6352-9803-000000008B02}6652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30D2E6035CAD857621204B0CD834135B,SHA256=DB5BD2817816EDC8F9581206BE7A803798CB35FE8700A228DE97A1F055D3AF6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.194{30B46F62-5C2F-6352-9703-000000008B02}76087564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C2F-6352-9703-000000008B02}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5C2F-6352-9703-000000008B02}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.035{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C2F-6352-9703-000000008B02}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.036{30B46F62-5C2F-6352-9703-000000008B02}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:36.948{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AB04F64E815E8EDA9517AB3D48C5B6,SHA256=7180ACB9B0BAEFDDD29536D9BA3472F86549B83C89C0BF4DDBE34AA4539B1A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:36.357{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B38B94F2BB542D20FA038833E7FDDA,SHA256=84C3008C22886C19FDD6BEB263E6B1C295E76EA1BD46A30182ED8A6625A449FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:35.421{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57220-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:37.456{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89C8B0704B67C230C67EAE85DB4480F,SHA256=1034869449B4227FDBACC15FCD0687C834CAEA3A1383336856D24B9F1F50B355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:38.545{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7FE22800B6058B3467879E569F1926,SHA256=5E487C174A4E3D63D08DF8768FC483D523F6CEC669C2023B075FB7E06C3985C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:38.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A2F56BEC35410BE9A942525C453AF3,SHA256=35554D744E43B7129623A29C84DB4DDCE67F8F1CD3753468040797CF790B2D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:39.629{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58CD9A666BA7922CF94F0BA9BD312E4,SHA256=B73709A954773BBBB5A95E5D35897E843697AA8C38D77DA2FAC7EE1B4B6AECB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:39.114{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E90D4A1326CB0B187A0F98272303BB6,SHA256=BB39D672B15F58D2E20274AF0D17232C729D6C9FD1CBB77010277FE878A7BE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:36.418{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:40.824{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64925515F910F484E1DEDCC5CD9AFAB5,SHA256=587D2C0DDDCD78265518673886E1B8E698B6BF41888D718B03982BE519660716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:40.165{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58337B021D56CD997BDB21285EDA5F90,SHA256=E8034C48CE6E35DDF5287DD4AB4B75B3794D1575BF658BBE840ED52443329AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:41.906{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB59EFE8BE4631B6FB0EACDEDE5A8D3,SHA256=44CB0806BAEE7A915C9E6AD59044633658722E1864B4665ACDD71C05F8FEBDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:41.213{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA82C3676EE89DC53D576893AD7A8F1,SHA256=321B6808E46AEC8DDBEECB462EDF816DE09538EA8C26A700726E94B3224C5122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:42.983{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D27B1CC88987CE27504207E80F0D79,SHA256=403561EE76F9363FA85C8F59F95F247C6193AE71A658E67A1090EA29C5300297,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:40.607{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57221-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:42.350{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272A7003DDAF8AB92C756DB724D8C21A,SHA256=52F07488783C810DD0F3D05CD2060D9C8444085C44BA3553EB59FF0C4710A0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.998{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.992{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.991{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.983{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.976{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.974{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.972{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.970{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.964{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.958{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.945{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.937{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.927{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.920{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.890{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.880{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.873{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.863{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.848{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.814{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.812{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:43.380{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BFF95BCE3FCBC57D4B262F85E2997F,SHA256=A1562BB36BBA722D210781D313F131C073E3C3C56506D7D0CFF1BC0D879C29B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:44.402{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C376B061988E046E642C379FC956B9F,SHA256=C186228C56386CC4B509550C3351CC845E07974610B9CFA72A56EE711F4442FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:42.415{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:44.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43B89493FFA75A0AF2426D5898DF517,SHA256=E7CA5FAD60F15881FA53E3BCEC17E0E3F5CD6F400C6275674238C4C16A4DDAB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:44.372{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:44.369{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:44.004{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:44.000{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:45.517{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813632253EFC267FA53F507979F0846C,SHA256=CA04EEBF408498F1A3914C073E337492F00BE4E90659E851B0DB5E540BEBD6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=64E99A3C891DD3599F400DA0ED63421A,SHA256=FE3B08452B2A061F1E5FCE6F46B086DF76DF4BCA488C779A5CA5A409E68C4DEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.640{EFF5EEA8-5C39-6352-E202-000000008C02}9042672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C39-6352-E202-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C39-6352-E202-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.452{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C39-6352-E202-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.453{EFF5EEA8-5C39-6352-E202-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:45.127{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1BD3D597B5009D4E0356B42A1B7167,SHA256=40E68A22CE2C9C40B41CD7D536114A79181B672BD7CF53724A9918F81BEC17DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3A-6352-E402-000000008C02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5C3A-6352-E402-000000008C02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.627{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3A-6352-E402-000000008C02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.628{EFF5EEA8-5C3A-6352-E402-000000008C02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.549{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ED4E1954AEA9672A4DD19B5473C1924,SHA256=42F3DD0E2EC16C7CAFA4940AB742F91273D466AE27EA08E30D113AF5E2910948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.268{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662695401726D564F469587C8287CE70,SHA256=56772A4D8C2FE19665FAF7D41CDC5FBC5C00B0F5E32EDD08FE55A3CC992EE133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.236{EFF5EEA8-5C3A-6352-E302-000000008C02}14402596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.998{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.996{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.994{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.975{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.965{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.939{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.926{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.918{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.912{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.910{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.905{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.900{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.898{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.893{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.891{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.570{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3601D9F770BE8F0CD5C3EFE675D527CF,SHA256=9DE28E72A71052AD08FE6BE07BFC13F288F70EE615700FF63D5EAA5C97AE589D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.388{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.387{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.386{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000201123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3A-6352-E302-000000008C02}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C3A-6352-E302-000000008C02}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.067{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3A-6352-E302-000000008C02}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:46.068{EFF5EEA8-5C3A-6352-E302-000000008C02}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000201167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3B-6352-E602-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5C3B-6352-E602-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.968{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3B-6352-E602-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.969{EFF5EEA8-5C3B-6352-E602-000000008C02}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000201154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.452{EFF5EEA8-5C3B-6352-E502-000000008C02}3040596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA30249B98BAF7BB278EEF0FD28735B3,SHA256=BA697DCED388C0672A77D8AFDDCC087E8EEBF84D3341A40C48E4BDCF7F6DBEF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3B-6352-E502-000000008C02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5C3B-6352-E502-000000008C02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3B-6352-E502-000000008C02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:47.296{EFF5EEA8-5C3B-6352-E502-000000008C02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.631{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFEEC597E2669CC2788B1C303CD1C4E,SHA256=0AB418E041731131593C2859AB84AFFFB54ED361779DA4E3F25DCE185A7B4D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.471{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5CF02ACEA5B54B98E87B814009FE07,SHA256=FDB95DE22171A5134DCC544EC760AB6912D8FCDB1F0DB1A5B9FC1783B1943B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.320{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.320{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.319{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.318{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.100{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.099{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.097{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.079{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.075{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.069{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.065{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.062{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.056{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.054{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.051{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.046{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.033{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:47.007{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000201182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.923{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B2E743AE5830D40E47C8C9C843D090,SHA256=31D0539110457247AFC7727C051E42A4738407AA1BB22290F8C99CDFB170C94A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3C-6352-E702-000000008C02}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C3C-6352-E702-000000008C02}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.637{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3C-6352-E702-000000008C02}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.638{EFF5EEA8-5C3C-6352-E702-000000008C02}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000292263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:46.503{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57222-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:48.825{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=957BA46FB6A8B39D7875A21109B8C870,SHA256=827EC3973AEF74C1BAB59DAA89AE42BB177E068A308E795BC78B541B325CCA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:48.692{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC37522ABDAC0CED7165F09180A90CF0,SHA256=E3514D56500AABD7DBFC366F89070454C3A1FD1A5A7EC3F32394A6D8664AD593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.173{EFF5EEA8-5C3B-6352-E602-000000008C02}32722340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:49.752{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2E644A60224863B4D9F34683DD0CB3,SHA256=3EA7213A7889038FE3F5D389EB4F2D3AA433E49A65CCB157AA0A4F021CD5F98B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C3D-6352-E802-000000008C02}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C3D-6352-E802-000000008C02}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.317{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C3D-6352-E802-000000008C02}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.316{EFF5EEA8-5C3D-6352-E802-000000008C02}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:49.077{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D7B300715CBE57B0DE5BDA78970FB7D6,SHA256=93338C6349F4708E469C9D4F4B19B69FDF679EE844EA0920C79200F0E9706D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:50.830{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B28CE2CC1F97B3E4B245601DD85D669,SHA256=0BCBAE551787067ECFB625DDC81EA64E15DD078001D505830EFB1E80D7378AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:50.097{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9713FDB3C414D1B0B99F0E65B86895EF,SHA256=CF4BF7307390CD651C9DCC4BB8DA5D479B9DCBA1F66F35347A0B524134C2D263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:51.933{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC55052908AF88FCF99E8015C452925E,SHA256=46033F3DD92B1CEC1C577669829FC071B75F3B38F082055E7E9C030532694673,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.949{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.946{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.937{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.936{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.932{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.880{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.872{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.863{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.801{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.760{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 23542300x8000000000000000201199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:51.218{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB25464993E7DD4246836E0B72833575,SHA256=35CDC38CA7BCC8C1518F6EE5FA24C345524CEF771192CC8F447AAC2BD2B44719,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:48.417{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:52.674{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6B212B87B1F527C5220AE9765BB9E1,SHA256=2F66282C7BF3B0A090864DB5A60BC88023CD0F7169DE6169898AB71AA48AB57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:53.715{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C91E1E1277ABFFD3B9BD76B54AB8927,SHA256=A0CCCEA49DCF55BB5B6039EB4093DFE2A60D002C40DAA7C932586A16FC6800AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:53.119{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73575C89B5FD12AAA5D35183BC3253EE,SHA256=BE760561A2831A92CEBA7E4DACC05058620D56153FA5E9D80A1C47503C8314A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:54.813{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED6D4CF1FE6DF3FD8D9089CB9EFBBC7,SHA256=A7E644D7664142E33D885E6DD97C9ACA089880635E66930238A039658B602AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:54.262{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF80AC6F39D23B8D33118EC68FE14CDD,SHA256=58C7254EB4994D4A09C6CFB6F1B3DF97ED01FD3D2700E991314816A4C9CE872E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:55.908{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B81B59E3CEEBABF53702FCBAD408D8,SHA256=7544014CD7523B6DD319260762DCD8350C44AED2D980ADDD61F1DCC30BB035DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:53.564{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:55.340{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F105DA8E23B0CDECDF2F8A5E31EB00,SHA256=B27D0203EF69C221EF9A904FDC1C5B44573C59BC6AE71E12EF7B09D8C0F8FAAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:52.529{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57223-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:56.427{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D8261DC2D43387917BD92543E03404,SHA256=0722E632B9AD2F2D26C84B8A6E2D868C66518C6E7D1ABF3ED3BC2953214E642C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:57.499{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB006C46AD07B3A24EE911DFF40C77C4,SHA256=895AC6A5C699A0352D0204DFC62B6900AC1905F7C8EE2C5D8C5AE9C29FB7124E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:57.014{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C0C4AFE5DFB9A6C501D20E06556F12,SHA256=6CA278895BF572FEF82EBD45236861F454BDC264C549C2F35989EC10D2B4F5F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.917{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txt2022-10-21 08:45:58.917 23542300x8000000000000000292278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.917{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.917{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txt2022-10-21 08:45:58.917 11241100x8000000000000000292276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.875{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:45:58.875 23542300x8000000000000000292275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.875{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000292274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.875{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:45:58.875 23542300x8000000000000000292273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:58.574{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879D087CB56A1362D16F9F8023EAE938,SHA256=FA38EC6B345C62FB1D4EC2627445D443C7533B294FD5BBC1598668603336E1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:58.113{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05776BC1A47E03A5878FA22D375E1A7B,SHA256=AFA71CB1861DC32C3BF311479A5DD9932A835312A4E284DF5BF58455F38135A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:59.619{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C0AFDBEFD5BDAB92A1207CDF59055F,SHA256=CC029DA496AEFB8EEB2C7E9D7120D2199670A04CB6204B95209CEFA4D79CA14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:59.209{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BBF51862F7B1A6DA4404E3ED602477,SHA256=425E486BDD83C3585EF533855E0C90A2AF3EBBBF53E90FC358B78D08A6891980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:00.291{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD61ACB80326990F557741551E6FF108,SHA256=41AF8A6C1CF8311575BD99B2B26CDCB26438D5CE5EDDF2DEDC2DEAD1D2A54B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:00.656{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF59261BB15772A18AF8B53B0CD9B94,SHA256=AC718EC7E947DE14F385E51E3C90480F29CA5F59F48A39CE94C01E28D548C54E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:45:57.532{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57224-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:01.385{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71156D352EA9D29D254D8CE143301B82,SHA256=B80C90CEFDEEB701AF054AFF93E499FA4582475BB43D2C7A772E12049DE5CA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:01.924{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CAB21C44B23CDAEFD39F0CB770D2AB71,SHA256=A989241583E9D39B84810767ACDABF8B49B5D428089A461A0E706B1388AB1B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:01.725{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2FA8CB68EDFF921B24BE15F3CF852E,SHA256=1CEC80D21B786B5830D4DF4E0815456D2A058AAD2EBB6CD935D0FB93685F3EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:02.465{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B509FF54B31BD2E6E865D2D467633D,SHA256=6D94AD2A1831F7F6A412CF028CB8AC5EEF9669B7C37D77D60C02657164DE6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:02.784{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FA682F26FA03DA9EE9DBFCBD643302,SHA256=EF1AEEBDAA759F166FDF458C27C20A9EB33AE719516FBBFDFABC421DF1FBA528,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:45:59.464{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:03.543{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B085309A88F1708A5920A67AD3EB955E,SHA256=3154049491C85337F2E5A68FD61A7D5DA0CB7E0EB76981206093A942A0507AB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.991{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.980{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.969{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.964{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6A42616D5511B0925883F341F9F41F15,SHA256=4F62893505F1FE625E264819DEA20A02D122A960624A07787EBDC3E2F709D884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.960{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.926{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.914{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.906{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.895{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.880{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.861{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C3E887A6E1B97BBA0EEC9073031F51,SHA256=92C287D97D69362F5EBBE1B4A6BC951B0F7706A1DB33FC0D6A3259208D8ED4DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.827{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.822{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000201243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:04.894{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=27E3F5A6E94B7BE8EA2CB1BDCFBEF148,SHA256=8EC11A4F2F1CE0A273DDC1019B29560D1FBBFF30CE7D4C06962C9746CE1F4864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:04.632{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F8DF15E50C4CDA3CD223AD6CD505BD,SHA256=6B5F7AAFDD875ACCC916F89025A1544B97C26A2530C1EE2A4415F0C3EA34C6DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.898{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5724D1AABA38BFD8E3CB274717623ECA,SHA256=3FE18C7B325137058F1C2313B4234A210E87C71B539E8B440C335137147F1D24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.533{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.529{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.063{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.057{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.054{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.046{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.044{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.034{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.025{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.021{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.020{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.018{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.011{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:04.006{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000201244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:05.732{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8103E81431CE5D189DB745CBCB2FE2,SHA256=59490727E67065F5AD924D4BC2DE89D71202A1D0F88B7E4FFBF21F08C9D0388B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:05.987{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAD488C26D22B3AC1377CB15F2C5719,SHA256=97BB75ED348687EA8B4DB393B4BFB6EF53FB5D789BF3AF062FA069F9F613EB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:06.823{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECAEF10A8A79041732B9982483C5434,SHA256=BB4143EE2B04AB5FFAB2B6079D29ABE02DE9FEA9753D4B402745CD01AAAB48F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:06.565{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:06.564{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:06.562{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 354300x8000000000000000292315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:03.472{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57225-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:07.912{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB52B00032DC0EA169B36863B413FF2D,SHA256=245958E6099275914F3545378F53B99CE9D28D644728FEA4B9669A671E541AD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:05.480{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.291{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.290{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.288{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.274{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.272{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.269{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.267{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.264{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.260{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.259{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.258{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.255{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.252{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.250{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.244{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.219{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.210{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.209{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.206{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.185{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.175{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.125{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.119{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.107{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.101{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.099{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.098{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.096{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.095{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.092{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EC3DE52B88F3FE9C778051C35A965B,SHA256=61D845EE63BF4402D73879756728D9413ED13BBF3DC962C4539A4006E255C6D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.091{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:07.090{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:08.192{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE619D71A88542F41E737964161A86A,SHA256=526332B15C526FB29679658744608A87F12B99A8AC680937D2D82819E09B7815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:09.304{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397C75D9A0D618ED0328984195CF6223,SHA256=8249955F6619A8EAB6062B80378324454A9A568AC074B7395EEA771BC853B568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:08.999{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECB815CCF12B5331D5B2F76A6B18440,SHA256=172FCF6AEC84A36B8FABBEAB36EC7F1D8F985D7544B9D9B7E55C18B506714030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:10.371{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F8279B3BB5127C680A9DAA0F4F1AB1,SHA256=51BC298AE72C5C95B46323B4B09933EB4CC9932B50F8503C5E2D390D2100F4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:10.074{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F18781CA8883C245868AC969571FA8,SHA256=197DABDB92BD06A6B4DA9E48AF49EEA13CE4C4E01D8C21E004A1D8FF9C67CE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:11.446{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78F22D5F7764D3F07D8E557F7CFD5C,SHA256=A57DBA30104DFE1D61786E9B978D0171F97D05996BDB6EDADBE60033E37A9B4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.998{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.995{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.990{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.986{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.971{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.969{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.963{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.960{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.951{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.936{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.902{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.845{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.828{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.796{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.777{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.772{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000201250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:11.176{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741329DD373DD6ED8D7A14E6494E5B9D,SHA256=671FB599465D8E97597D3D1FA055A805E2A29B1D925E1D30B80F2283EF82CABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:11.346{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E162C5DE9ECE1F916419605659F71F7A,SHA256=81E3A915DD4D04F096B4293546D1A42780B34E8BFCC41CBAF7102944FA7FF9BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:09.381{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57226-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:12.532{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA05754CBDF0D32BC47D1D8683E9E6F,SHA256=D2FD57FC1DAD8A4C550F97B9B97B182BF195D82D297B64B615891A9703E73240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.852{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-082MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:10.502{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.403{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C660283DA739420A50268EE85A3A77,SHA256=5C3DE91CA26C44436A0F00FEEAB353829B65FDE9901BEA83F713C2C378DE12F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.008{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.005{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.003{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.001{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:12.000{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000292358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:13.583{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153F55533AFA3BAD5281A47104E5AEEC,SHA256=822FC14745C54703575B54E09963992FF47EDEFFAD1FF138D6ABA0E5DFF90D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:13.857{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:13.441{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5BDA118AF95CDED82A20966D591A65,SHA256=C5301DF079F631B7C515CD42E2DC248E3C746900E7385CF82FCB3E5BEC75F883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:14.514{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178109B3DC40A23C7C563B5F64D26E75,SHA256=408870BA16419A6C9E9029A8B46E7FE56DCF8144FF477B018E0E5D0C006F28A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:14.685{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B269FFF232D78CB2BCBBDDBA9E441929,SHA256=8CF670DED7D9EE4176FB4F1605091F5A131A9AB59E508B84559C9CA28BE84B44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:14.371{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:14.371{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:14.371{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:15.912{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4e1820.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:15.754{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64211503B24F095C0E645583B41FF2A9,SHA256=F5ECAC2258D0F45035AEF7FE4CC71A9DC8ABAA7733984BEDE239744FB8B4FFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:15.602{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9273BC502F1A97C0B2143BDB9E5646,SHA256=ABEC60D9634C7E4AFAF33D0C761346CBD6875048FC243EA8CD67B656F4D4BEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:16.814{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA45F26E8185D09E0F9488873A28894D,SHA256=81545502442CC83BD780CDC02D13C3054D511D48304E3182EF5C57FA629B43BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:16.688{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7DFBA769F7FA7459587FD1601D46A3,SHA256=8BEA09A97E630A902F942D3F1AEE7980CD0152F37C46A8F94393C01E165EC3A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:14.397{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57227-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:17.892{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B241038DE8D358DD8890A8FBC2088B,SHA256=4B5CBF79B3029C172CE9BD2EDC84D1D00FBB6E726015461DCB67A21CE5EC0D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:17.781{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713BD8EE7777B71165DDDD743021469D,SHA256=9E6654C758A7D863E2E2E7C5297A4C80EE3B6754F0FF13B718A0192AA862D9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:18.961{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FE67780E478E65EDF01861331FCE6A,SHA256=FFA7764C7C5072555C8B5678A27C57F7476F9B76C655D013CBE1EEA78E9C9DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:18.866{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B94E5FA59408FA1ED58232D838185A,SHA256=8B953A832A94560FB5AE17915D728CD918AA33DE23C818F17F76B69BB7493127,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:16.438{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:19.969{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E8CDDE282E33400ED0CBC97977DDDB,SHA256=B8C8A4D62A8F569D8DECA31A0A2A80C53D5F42427EF01AF95692FB05D1F6960B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:19.516{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2A553AABE5B1EDF82008C112DF10C478,SHA256=BACAED85E203926AF141415DFFC457BC5516C11798061646C82D8019BF8D15B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:20.020{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DDACF6B83C62FE404CD529B8C85428,SHA256=828A593E55916ADE16EA93F743B727C3C43AACBD572217D01F6E5B94E053E58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:21.081{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623F0D808386C278912DA2244BA2B40D,SHA256=5322EB9DB2DE5E470F857928B5701F0F9103039B786FAE9B51B7C2E96A728EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:21.050{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1F8D2393FA1B8369286B94233BA6ED,SHA256=64950E46B4A3D006DE285AB1E0A59A385B37358602E1A3EB1458C472917E49B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:22.138{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6135395E9D8C513F6550C13FB7C2283A,SHA256=2715974E19DFFEC7C82E62FF83A0B76209847343EE7DF0C1F3613A0BDD4962BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:19.557{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57228-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:22.169{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2BB2C0877472AF02922138EA119150,SHA256=CB6D366089656FDCBD8B78D19E3615DBE51CA666BEAB3E77AA368910A2023EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:23.231{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B2260760A09D2C80A127774401372,SHA256=347E6110BB25514C7203385E362E36331C6834748612729E0C3BE0A639FE5B8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.999{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.996{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.990{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.988{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.978{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.972{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.969{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.968{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.966{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.958{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.952{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.939{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.932{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.923{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.915{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.884{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.869{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.862{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.853{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.844{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.807{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.804{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000292370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:23.254{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D434982CF3BA696528734475B66634FE,SHA256=124F29CC7772B5FD4073200BC38C02F2A1AAD62580EDE5D61DC7E2C9078A93D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:22.404{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:24.327{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF6E9E36A4CAE42B482F6A996768066,SHA256=84730E0560FCA97BFD91AB3C7B4FBE51925FADF498E7B3465C0DDE515E168010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:24.827{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-082MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:24.387{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:24.384{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000292394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:24.285{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A61A3B7CC3CF30662C6F22F3998FD49,SHA256=90DACBE5D06457B71B2F3EC518292484ABD47E8D3F1E28C3F6D39E2DD12B7628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:24.003{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000201302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:25.411{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8542822D54523E2312F74933BD8FB8,SHA256=3C785DF1600EB244747A400AD6C89ABD35AD6AC7F349BAF749BBAF0B36753899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:25.811{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-083MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:25.358{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8D37A28B5EE75325C830D1BE70D6D6,SHA256=4B44DC584CF48B9C5EB67C04004888CFFF270C27B6D7FD8096797347432EA05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:26.500{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB2F64A04A6402D969EAC4F8F6B6E6F,SHA256=A24100F2A4EC2C96E4A934706A5622185687B00EAA179B76D247D4D0EB716B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.982{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.974{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.952{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.947{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.938{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.934{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.932{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.929{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.925{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.922{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.920{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.919{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.417{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.416{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.413{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000292404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.404{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14CF7C43FAFF12B2398F8333CCCA519,SHA256=8F2761AE23A87EABE6E2B572350D501CBA547CCFBDB808B668858ADA9ADC2FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.306{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.306{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.305{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:26.291{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:27.580{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1E01A5452E05B84492AE1DE1195DCC,SHA256=19950ABA050BAEAFBD3EE24B767A502D9E9579AF3C91BFBD32D92EEC0A796DE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.720{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000292443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.720{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.719{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4e4644.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.611{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAFAC5C29171E400EAFB83FF3039C3C,SHA256=4ECE2ECAB7773C01B91D110E1705E39023F16670EE1654C4997A9EE5828A642D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.547{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=0A2589BD655A9A562455C866465C31B6,SHA256=BCDC9276E9AC9B2E23344E80AE00C915A299A8F140E8EC314E519940A2FC0A62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:25.537{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57229-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.143{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.143{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.141{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.117{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.104{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.100{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.098{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.093{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.088{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.086{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.082{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.074{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.066{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.064{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.044{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.016{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.007{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.005{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000292420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:27.001{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000201305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:28.664{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDADA1CF39C65EA4960DB0F450A53EB,SHA256=5740A3A9817908BBFAA3E8965403AF1A66379E8E1B0649D6C7F281182CE4EAE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:28.696{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:28.649{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44721F7C2FB0E357610B8F729D81DEDF,SHA256=5D329956194F34B8FBAB002AD65135EC8002162C226EA70A587D4F519DECA1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:29.940{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:29.764{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC4421A33849A1035B94992AB576329,SHA256=88A55225322AA2A84A9CCC851709D43D0F32A8289D84D8981A52390C6E55EFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC0A0BAC615B27902FE1F62341FAE6A,SHA256=93D6E42774368E252EB0FF2C813B167255BE598EDE8B38F3DD5CB53E9968ED53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.625{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AFD73519E1A5890EB7A4BF860E4F736C,SHA256=922AB1A99A71AB0A7CF8ECC3AA116A12519A0F4FEBE90C23EB64CA11C3F6B548,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.625{30B46F62-5C65-6352-9903-000000008B02}8447960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.493{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.493{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.493{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.492{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.492{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.492{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.419{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.417{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.416{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.416{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.416{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.416{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.415{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.415{30B46F62-5C65-6352-9903-000000008B02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:30.842{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA39D6941364F1E96F5631DA6698FF5,SHA256=4F84C930D948895BACD331E20FB5EC748124EE9ECDA3F7521F312D2F1C1F53ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C66-6352-9B03-000000008B02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5C66-6352-9B03-000000008B02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.770{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C66-6352-9B03-000000008B02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.771{30B46F62-5C66-6352-9B03-000000008B02}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.743{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35EBE51829049ADFCF87505AD267C3C,SHA256=F84A6C9B822B52D98B95F92E64A69B8E2DA880CE80A19172A98827072224F261,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:27.446{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.444{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228704EB42040B39A7D7F3D18812C1AB,SHA256=6F691244E5F43DA38D787A3706E036827B4CE496D1145E228CDF24F5D2ED7448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C66-6352-9A03-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5C66-6352-9A03-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.100{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C66-6352-9A03-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.101{30B46F62-5C66-6352-9A03-000000008B02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.069{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.945{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000201331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.928{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812FC6F531407BE4A8C7BE8684DE7F19,SHA256=A88A51A0C13A9D871E935625B27CEC48E897B4DAF756FC25DC8179B3605919C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.925{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.892{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.867{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.857{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000292485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:31.808{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73B97B326D8E6212724ADE1E3BDDB3C,SHA256=270619D8DE4D1F0AF8DB60945BE89A07A7ABDBFB39E31838AB931C60CCE0E43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.843{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.816{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.809{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.794{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.786{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.771{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:31.768{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000201310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:29.231{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000292484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:29.402{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57230-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000292483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:31.187{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6DB7DE08292047A398F610D6078289F4,SHA256=07A3C91920D7F27ABB51D487BC238B1C9BBDDB1471AE2756019B9F7D74E13826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:32.895{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FA3DFE6833DF9011118EC1EA0CEA21,SHA256=825D631C2A9165E25E5E661D330C90C47C18262A71402A88A6264C81268CCE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:32.890{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51B06451092AFCA4F4291A22921F9A8,SHA256=64A87C25798DCCD8875AD26E2B0CF162F06576DB39645F84F7AC8EB44DA5240F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:30.605{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.976{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F807C9C5C1361E856E3A1A72F7CB1DC7,SHA256=825A56542F11645B03E68C9D3ABBC36FF41F84F4AD9450FF1EDEDD457687BB93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.531{30B46F62-5C69-6352-9C03-000000008B02}4808124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.511{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.511{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.511{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.510{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.510{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.510{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.326{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.324{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.324{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.324{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.324{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.323{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.323{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:33.323{30B46F62-5C69-6352-9C03-000000008B02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:33.997{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1353D185B7383CA62D12EC72217B3CA,SHA256=A1ABC7E63CE64FC9F50FD13C287501CEDC284626760926ECF54D55E2B792E3DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.750{30B46F62-5C6A-6352-9D03-000000008B02}6668436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:31.765{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:31.765{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57232-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000292511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C6A-6352-9D03-000000008B02}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5C6A-6352-9D03-000000008B02}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.550{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C6A-6352-9D03-000000008B02}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:34.552{30B46F62-5C6A-6352-9D03-000000008B02}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000201344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:33.459{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:35.073{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9336685ABF4C70ABC33A6DEB113CF092,SHA256=62772A2ADED37ADADA39AB84E4E18A025BD0B63BD5C946BE136D02DC0DF47B27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C6B-6352-9F03-000000008B02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5C6B-6352-9F03-000000008B02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.779{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C6B-6352-9F03-000000008B02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.780{30B46F62-5C6B-6352-9F03-000000008B02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.652{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B57373C494A59C9A1DA32325FFFD06D,SHA256=2ADE5AE92462C2FE6005D167BF333456D99AB9B148726EE899C20576A4D1D89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.351{30B46F62-5C6B-6352-9E03-000000008B02}78967580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5C6B-6352-9E03-000000008B02}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5C6B-6352-9E03-000000008B02}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.151{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5C6B-6352-9E03-000000008B02}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.152{30B46F62-5C6B-6352-9E03-000000008B02}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:35.032{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87888C833D94ECADE2840BAD6F8B94B1,SHA256=4F2DAFD5B2EF03437EA04158ABEEDFCD834070C575DE1CE9C04B024427ABBE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:36.155{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887530654BD8346B90CD4E556F143B9F,SHA256=C21D8ECF55DD97B0AB84D433C2FCAC0F4165E6DD149ABA30F3690F740CAE63F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:36.095{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543445517E9E2D395A3C87FE139BBAF0,SHA256=C3DC87E8F313E226AF2999028C2F786B034C4088C7EF57A2E5C08501F24F87CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:37.237{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2EACAD886F0109AA8AB94CB64E9FB3,SHA256=2A36BACCD0401E4945853691A04779E3240E32E8ADE485535638584D9EC6C00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:37.181{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E161A0DC633918F898C9B619DA878A31,SHA256=70BE98476FF900C55B42944358E1485AA7CB10BA693A65ECCDE9EB15D069DADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:38.330{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819EC8C8CB41918F74101D8585EB5977,SHA256=6597FF4AFBBA00ED6795647E200FB11FAD312D8E3895747C82E7214933BE9299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:36.515{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57233-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:38.231{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03E35FB67F12ABEC3B72FC029568951,SHA256=0D9157C6DA342A8061476D4895B63700A6BB5AB44CEA91D32990DBCFF6D50622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:39.428{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EE9340051562B15195653CD8883F57,SHA256=E4E7002FA8C1680CB257B5DC9B752076943C2F6E1B150D2FF73789861AEB17C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:39.301{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A3FE0F2CE817AC01CB48BBAB3A1B87,SHA256=16CA9F840B3003448C31D00D25B2F899E0183A0D74746E93670E8BB8F556C55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:40.537{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6795A0DD28076096E5681DCF6DADB3C8,SHA256=6E78527E123A7F885BE411CB2FB5B76ED2CA2CB7C4D8E552424390D5FA1FC9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:40.361{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977D21F4E5DA341BF79A339E8925EFC2,SHA256=712E180ADFB05F0D7D0374F3974E3A902ADE3E9097E5217A94F5DF6CEBE67F28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:39.397{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:41.626{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460B05A98BDD2B78712F9170497052B2,SHA256=061712576A695397B4D323AF8828F4A81F4E590A403916F7BEA7C3CBDE3D4759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:41.438{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052646ED3FDC09BC28735EFC64CBDDFA,SHA256=ECB41A81FAED125E39944B808E22871F2FAB5EF52DCADBD1589B7D91C4DC73E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:42.733{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8A9BB692A894AE0707A7C0C47B6162,SHA256=206A80CB18AB844561C1732AF6575E3C5CB23C1CF883E6A4CEAD8B4D5015210B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:42.506{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D54509C27873866D2606CEACE33960A,SHA256=4A42BB84DB87A348EB56384DFE618D91198CE489DB8AA6BE90AF7F32623A79D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:43.805{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1074171E3BBDD0F8DB1FA4CF576BDC7,SHA256=C57A83A2F4540154BD48319B35EA64F88B193F46F6D6E3FA4ADDAE8730D82C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.992{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.986{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.982{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.981{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.979{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.974{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.970{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.958{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.950{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.941{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.934{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.912{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.902{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.894{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.884{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.874{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.822{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.815{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:43.580{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E649DC918C0A3D7AB39C13D115589ADE,SHA256=8542A789267F8CEA6086B8FE6C39402133D3B62B6A97D6B7D376912E87EEB461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:44.901{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543A9768B6059E868D5A8728C71A0DD,SHA256=B254D7BB7B27D3CDA71720B3C59B7279189DB5A418F54D797B59C1652ADA2B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.621{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE99500B168701DD01BA931AB5B1374,SHA256=48CCE62089B5CBD001371DCD6681819A63F22CD9592CD969C17C13EC1A358E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:42.527{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57234-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.358{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.355{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.015{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.009{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.007{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.002{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:44.000{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000201370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.982{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42A96B6078F4A1FE7B44351B03C00FD,SHA256=7B703229A66B51FAA0F1CC49AD77F08929B692A606FD07D03115D28CEB2341CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:45.697{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDCAA0569724DF50CAD047D8B34BD374,SHA256=22ED24B788B410103C81EE719A2DE0FF6D7A86EDFB1949F21279C07BD533ED31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.816{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5E7632C1A20CC3CBA71B54FADED1234E,SHA256=A1F934FE93CC39F5CF754A94F1A44D1452A1F2BE9F0326F020DC4956E5B20EF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.648{EFF5EEA8-5C75-6352-E902-000000008C02}34683964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C75-6352-E902-000000008C02}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5C75-6352-E902-000000008C02}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.461{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C75-6352-E902-000000008C02}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.462{EFF5EEA8-5C75-6352-E902-000000008C02}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.990{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.984{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.983{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.980{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.966{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.957{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.929{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.924{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.917{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.912{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.911{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.908{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.906{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.905{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.902{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.901{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.772{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E1FF95820AFE01435B84A21C70E59B,SHA256=DEF3A49768F400837C49DCB433BBEA37360716A03D01EF012DAB45942304BAD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C76-6352-EB02-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C76-6352-EB02-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.619{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C76-6352-EB02-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.620{EFF5EEA8-5C76-6352-EB02-000000008C02}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.510{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A5832AA0CF2A06762E12F6AC0C49CE,SHA256=19F1ACF90F6E1686523DF545FE7375153EFFCADC3201557065AFCFF5A6DC707E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C76-6352-EA02-000000008C02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C76-6352-EA02-000000008C02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.122{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C76-6352-EA02-000000008C02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:46.123{EFF5EEA8-5C76-6352-EA02-000000008C02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.374{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.373{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:46.372{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.875{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F872210641096F2AE4EBFB5420E9FE3,SHA256=96035CFFB7115F8EF82AF80DA48346187423E38D7644EF48AF6C2FA85BAF3754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.984{EFF5EEA8-5C77-6352-ED02-000000008C02}15162516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.959{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.801{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.802{EFF5EEA8-5C77-6352-ED02-000000008C02}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000201413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:45.371{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.348{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F1644A4F6DFBC86E3DADFB0ADC47FB,SHA256=5D2F0B4CFF1452C84641DA0A5E3108B6CB7CCF600EB515022D484ABD511F9CC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.317{EFF5EEA8-5C77-6352-EC02-000000008C02}14441160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C77-6352-EC02-000000008C02}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5C77-6352-EC02-000000008C02}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.121{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C77-6352-EC02-000000008C02}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:47.122{EFF5EEA8-5C77-6352-EC02-000000008C02}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.066{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.066{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.064{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.042{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.040{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.037{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.034{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.031{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.028{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.026{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.025{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.022{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.019{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.017{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000292591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:47.009{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000292607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:48.977{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBBABEFF573D3809D2FBF63BD1805D0,SHA256=112CCBA92F1CFDAB56A4D9259A54A20B1490231E860E79791ABE0F9C29D3A8CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.648{EFF5EEA8-5C78-6352-EE02-000000008C02}40603424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C78-6352-EE02-000000008C02}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5C78-6352-EE02-000000008C02}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.476{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C78-6352-EE02-000000008C02}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.477{EFF5EEA8-5C78-6352-EE02-000000008C02}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:48.289{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF783CAA9FB580FC2A9F8E532579241,SHA256=D6AE2FE3AC5576B64A75FD3F4F6E28175FBA72FE03F1E59725FE7375CD82AE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.746{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A882DF3EEADF6114DCC2828334E1CF79,SHA256=2C131CA82E9FBD824D7C41E3DA5AE2F347CA08AE1FB7A42961DE8ED431AE8CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.449{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF07E520F74512ECC48CBAF1627C9EBE,SHA256=093B46EF3080FB3A483AA4EAD2ABF088620AD0EE1E80088CF073F7F02B5C4184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5C79-6352-EF02-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5C79-6352-EF02-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5C79-6352-EF02-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:49.143{EFF5EEA8-5C79-6352-EF02-000000008C02}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:50.609{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5787429BB037118F269A89129BBEBD47,SHA256=AE7FDB0BBB0C50F538A6F34C2A10EB1E18013A45B505CE6561E9A66F31D3A5AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:48.517{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57235-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.038{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8CABE754561D49D8A82F2F7A905C00,SHA256=60B70E6CD78AF2342305D54F0C2DE1424A5DB23D8C6D4CD090D2B4FC9AB824F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.948{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.945{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.942{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.934{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.933{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.846{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.839{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.808{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.801{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.793{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.785{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.776{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.767{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000201466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.764{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000201465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:51.706{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21715776E5540CE3AA9B160A7E7F8353,SHA256=44207CF91750264E2CBC8C5C5BE7B143BBE6172C4F9B6C1AB78BCF12D301E6CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:51.511{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000292612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:51.410{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:51.410{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:51.084{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C311746EAC8E2B79808DD95DFAF908,SHA256=9CB36A9406C421DF5233DD01C6FF52125D8309D393CAD2375AD0864B3C82EA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:52.799{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A17927CAEB7FFDD4C9C781ABD93CEB,SHA256=6451F7D7BEED1DD16418BE1A01E37B0197D16AABCEB512ACFC7C18728F9A2790,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.876{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57238-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000292620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.876{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57238-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000292619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.783{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57237-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.783{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57237-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.775{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57236-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:50.775{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57236-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000292615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:52.511{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD9641D56F82BF278E858CA587D1971,SHA256=BB872FF80A17AE895E1E84C4AD5F2E34DBC6072DF567E9F269DEFDA9C228FDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:52.161{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C7D7680BA50DE5A4576C6D8BA6B217,SHA256=E723A59027647C75AF50E5CBECBDD634DDB8BAB7E2B17E795D3A248F76BA2D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:53.885{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B29C10CD0AA322A050912BB211D7664,SHA256=624A9999B248042FA041237D4462F0F14486A319727E61417888465EDA34217D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:53.287{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A470F0DA399BD9DE634814C3330C43,SHA256=73A585775D9EE45B5B1C53CD0B135B1EE200E534514094A03072E80D29BD6ED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:50.529{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:54.977{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B925A5D5C39EAC1214EA5DDFD133F1,SHA256=9FAFADACDE05536DF5B9472E23624DCAF629C2F692F9F8583358F1C46F6C3FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:54.359{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EC06C7F97971932AB6288D4A95CE97,SHA256=8DD6C3BAA347043730A1041113ED8AF003A129762C7B8608DD945EA52A5237E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:55.430{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5AC073FA8E10599CE4B70016E257A9,SHA256=5F3B81D87EE02DEE0852AF24F34B0845951BC03F72C47A5F81E8AB8DDCDB3ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:54.550{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57239-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:56.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F706B587E7F288009824FCF85B2B9B62,SHA256=0906C08870B50F7D6FA2B908F1620166794D5901E3A91E3134E2804C757D5B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:56.086{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD5B450C39A47EB0D1D8050B0892828,SHA256=667A62E95939C43DE6E90841BD26501BAC96637C8B311D184DCFD70C7FF0A5B8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000292633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:46:57.702{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000292632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:46:57.702{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000292631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:46:57.702{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000292630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.691{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.691{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.617{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320C75D0FCC4B151C8FD7BFECD9FCC2,SHA256=0B863264142C47CB0F5B66137CCEE1F8A197538760A90BDDBA201BFB388CD811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:57.173{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3CB163D59F6CA8E8FA349DFF895D58,SHA256=32860128CDADF89DD82622F69C2C970142BACAC5C440AE6E5EFF36F9CC2FC264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.032{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=0251E674B1154D8AFDFF6C5C8297AF9A,SHA256=0587994043E43A0D878EC06499DD158C5B44122D7931980A250B35FF55AA74D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0E97A43D1BEEDF4247585AB50AEC17,SHA256=F95B73A93812962AE72615D9C409A34F060DEF51FDDF4FF11F9F90AF0303150C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:56.419{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:58.275{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2818809286B40A9B70CFA883DF8B9279,SHA256=F487E39D874C1AC9617F9CFEA2CC51AAE97EDB243A171EC30B1D4F6A516ADA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.535{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.535{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.535{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.897{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57241-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.897{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57241-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.055{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57240-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000292645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:57.055{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57240-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 23542300x8000000000000000292644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.720{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F03C48976AB8B81AA3CD14A9D56559,SHA256=1AB3EB0A3F0463F57DB1C75DF80C6FE15E99465C73167597ADED1C77B69EFE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:46:59.362{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579FC31CF4FAE303F48300D64D02BB48,SHA256=93D682550A790F85D9A81E2E8523F2D58144CA9CABFF87FCAEDC18134570E5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.636{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8E3E851C2F4B9B9A7217B49404019E1,SHA256=07CF0D12A2D73A08C297CF25B5A12B19A9D416F1295C265ADDE950B3056AE922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.535{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.535{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.373{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.370{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:59.370{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.728{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57242-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000292650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:46:58.728{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57242-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000292649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:00.822{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B00309D887FE2B2FE1A87CF6F328300,SHA256=FE2B84CA51A907056E006B57157134EC7BE27C8ABEF85DFEE2480B71EFC91E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:00.452{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908512CB5A22D6EA3A5AFC984488CF16,SHA256=AA60B27257B9D815293C583307E1624F6B816567126901FA0D5148655C74D556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:01.882{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC970B5E17D11E943D046770BAEC3131,SHA256=BC294159A842A69C6B3A9A5C3AAAE3E927ED67679FDC4E3E10FEF49351E0AC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:01.542{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B9050F43F0E2DAE9A714277290E2B2,SHA256=B620C2DAB8CE2CF3ACD57F7A9045A5F15594345C22685082B666039ABF9863F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:01.427{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ABCDA599DD7BD41CCC2F2A53BB8A1820,SHA256=275E170E8CE64602D1F93FBDBB40C91691F15AB9F7CA339227CAD8A1341100C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:02.930{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ABCC8F1DD5ABB88B1C040E4E3B7935,SHA256=E4FF1B5EE52F42A81521C863FD9CC8341881B87E388259E00AB8B9786BDC3799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:02.631{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D457441F5895B483B60FE68664383FB6,SHA256=B86EAAADA947A6953123E27338CEE2DD84E8443CCF840F4B3C6F8D246B3C4EC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:00.491{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57243-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.998{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.989{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.985{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.983{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.981{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.975{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.969{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000292668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30871FFBCC3DB90626A5F9F79719C70E,SHA256=12B10C3CEA9B371F8AF7A19AD7DC1FD163F5389A20DD202B00E61E2F3F231190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.963{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CF2EB7ED108FC12A3CC391B3E5AA5511,SHA256=6263FD9C2C6F73F79FF15F68E6C74481C33BC7A61F1303FE724E9B615DE62D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.956{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.948{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.938{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:03.718{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8A1848242F56DF494DF626B9585D61,SHA256=B2D6C1F5A2D70FA1FBD3536F4C9242F3B7943945C909756AF574983B07B2ACDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.929{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.905{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.893{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.879{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.870{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.863{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.821{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:03.819{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:04.901{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D219739AA24174D2FA36AD69DF6EF76B,SHA256=5162BC5B2AF3A91E3DD8275276897BDF17B61AFEBF6AFD71DFADFA48C83F0EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:04.808{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7718B2294E6D4DBE7E77B9B058B1A355,SHA256=6CC61BFE0A03CEE6AD6E0BD8D49DE24769ECDAE0DFDEA8BB0C5F81C4773A1F15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.496{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.486{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.049{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.039{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.036{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.023{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:04.014{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:05.883{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A9909C0DCE0D154143DBACE7FA05A0,SHA256=3F69126F5F1614CD11432BF1C882580AC0DF79A918485653124F7313890D6E8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:02.376{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:05.007{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A184F17EF1CFB0754684EF6B68FB342,SHA256=93A92A82480A1E61F3BDD5C92809CF2D05387DB02FF0B9214F5BB2FFB78352E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:06.980{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4403E599257BEB7F6743FAA3DDDB105F,SHA256=408E32EBB658CCF75F4E4557674470DF5A2CD39449A7E04DF1B44B57AD93F616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:06.512{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:06.511{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:06.508{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000292684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:06.066{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0285B71477369F0E31D1B1AEFE7CF277,SHA256=BB2A04761BE4721C1F6BB4924D4467C47C73C85055AD2D67EDA7025609B341E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.234{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.234{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.231{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.208{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.204{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.201{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.197{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.193{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.186{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.185{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.183{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.180{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.176{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.174{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.165{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000292705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.146{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E0B59B630CBF8A0233F9698B32C176,SHA256=B709826FED8ECDB5E29BE258C6FA4BBA9D43A7A4432032FCF35EDF19EB6A6363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.141{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.131{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.129{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.126{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.109{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.095{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000292697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.055{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=19FC06F5EA9C13449DB2A06A144A4BC1,SHA256=A11C51C46A9BC6BBB160C89C38B54212B8D1BE2672AF3B4F03BDFA751A8882A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.049{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.042{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.035{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.033{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.029{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.026{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.025{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.022{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000292688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:07.021{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:08.064{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085D37EF09874273B98D5C3A0CFCC26D,SHA256=A8898C2518CF31D8901AFB2F29BE029FC2C501CB80B3F95B6CAE4C2AE8FD238A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:06.494{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57244-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:08.162{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF538ADB9ADEDCC70158D6CB3E90FABF,SHA256=EAAD773CC734F3DCC619C11E62A0B943AD7F3201731B7EE38808E098E5C128FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:07.531{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:09.258{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77409A5BD336F07F448F8CC55595C22C,SHA256=4D9E414CFA59751FB763088BA7372D387A1555D1853F5AA227698D8B5CCC4C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:09.253{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117441D3EFDD894448D61D3DF0F73B30,SHA256=2B8BF5737D2703043D22F93D53227574067D989D37EF36A65CCF70654B12E88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:10.344{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9563FF4B233F0A068636C062240373E,SHA256=BDD9EEB809DC10ECBC8F18B4F7702DA7D2EBAF0710DCC3DF938FA1455F1DD918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:10.288{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D4F39A9FA6F384BEBD6A3F55DB785F,SHA256=E8C7C758E46FA29D0C738B650DB21B8EC2E5BB16202A0853B7280F2AD1AC1F52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.920{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.893{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.890{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.880{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.840{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.834{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.805{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.796{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000201518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.771{EFF5EEA8-4860-6352-1F00-000000008C02}12002872C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000201517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:11.433{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4A18DE86B54775D737E1979CE02D98,SHA256=5BB202E0287E4437118B1C3539554E405DFD80F52F504D1C282C07B500B6A1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:11.440{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF8783A51FA450328D8B6A50952D3CD,SHA256=E0ED05286C9FD330C2335279A75421CA34B8E1F83F38E5FB2F1BDFD6FF56A35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:12.981{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F971C66C9282FB7E9EDC7625CAAC93D7,SHA256=1A514558E5A7CA57401822B40F3A0B2BFE0B2A7113997C1C02976AA777BDDAA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:12.491{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4FD4D102744C9462E3A5BAB1BDBE25,SHA256=9F58E4419D41C4AF2FF15DE3B2483E246A14AF9DACAD8B2687FB57CA4ABE4E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:11.578{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57245-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000292727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:13.559{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB431C6BB95965825A169073B021BCC,SHA256=AD7731A420DB5E58EB55B70CA31A05C6DD12C5893001C569AB652184DA7B1FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:14.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A8AD9B8517751D16386951BBC9D65D,SHA256=C67EB8B5068F131C1DFA62772AF02DE1594DAA8D88BCDB4D5F8780CA48557738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:14.365{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-083MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:14.036{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B55C4871F83B9A558D14C668A6A753,SHA256=2229C62F6C0EE69213CC2A43595234DBEB2BFC9B4114A55C47D73F9B338E6D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:15.720{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CF79522DCA3EE1AFD18C46FDE4EAF2,SHA256=C45EDEFF40002C4E154F67BCE68051697BD466D533EEEA8586C95170DE7D543A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:15.368{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:15.104{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61C034591CD3A3358A8F6F401B4CA0E,SHA256=F59290DD35B541252F374FD2749F8461C3DDE01F4FFD34BEA3C66F889B514F85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:16.763{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302B356E79D4D34627577C87E4DB5E14,SHA256=2928D8273E74E06343E3D217C802370CEF4D7C4A129EE1793B1ED6E507036B76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:13.472{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:16.185{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980DB654A0194C68DEFA55F24920113E,SHA256=E2B3834F0CB046192CE9BD537196C9EEAEC9FEC9B98205DD60031F1BD5FFA9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:17.823{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6218B748A6FD3DFB4D08A47AED250F2C,SHA256=273B6E1ABABDA442DEA8FC739BD77CD8A7148AE985E2F63ED127DEC5ACC5E314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:17.271{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8BF0CDF8B6F0462D83B2CAA1E64541,SHA256=81592727106340257F27DE15DBC24835E83DFADF040805B8C826613278B04F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:18.924{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F862BB44E5F6C144DB95FE3B169CD5,SHA256=A4ABCCC448B8CC52C794337DA9EAB19D67F5ED5215AB1807E1BB53E6F79FF75C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:18.358{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED5AB66C7F76110285ECB6E71CC48D6,SHA256=30AC57FBE5ABFB1C3357E83FEF0143FBE64E1FAF8751DBA8E255BA1C0B63D617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:19.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49F5732C207D7EE3BB6ACA5BD23D30F,SHA256=F265774EAC531099825310D608D5E5AB49F6D73E287F5DD22D1FB9B9B5EA3D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:19.443{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4371E5BF3520B7E015E587B2F7BA8871,SHA256=BBCAFDC2B391E84899AB94476BBAEF617D4AA039BFC288D2D5376C13F7609171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:17.544{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57246-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:20.519{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96399DCAD46C7EFAAD260A7CF0DC871E,SHA256=EBC89FD90146E80283993D34E8121E94D6DE5CF09D6B6F7CE1832ADBB13F9F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:20.326{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=3FFBF233EA51CBE10D5D58B247B77C02,SHA256=32B0758896042786D34C95DE2E30E218210048D3779B4881F89BB985BC07125B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:20.007{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C4D97BF09AF3CA9F7C222E445E4E94E3,SHA256=E17E20C69637241771370857960D24D4B2DD72797FC5EB598D8339F02DB49152,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:19.475{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:21.602{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBCF56EF4DDD096288F020FC76472AC,SHA256=F6D9635E59677C22693AC58487A3120B84D93131ADDA247878AA80BE3C9CDE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:21.053{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6A3AB77EB6F8597648B61F9C354D84,SHA256=012913F5B0BCC875FD11400E05852D7E895C29B2C5D74F59633209FA62332FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:22.698{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD109C0E80DF5CDBAF931BA45E7C399,SHA256=1B5EB6C4DEA68F44184215CDD4A645BE72BC2294F76C2DB4E8F4AAE58756CAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:22.135{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C1C155BCE52D59B5A0234568735066,SHA256=2724E480AE200C32FFC968F653D2091B9196EE1C03692245157AF4126380D5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:23.786{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAA13A09B014F4AFE10091D4E9CDA1E,SHA256=25CC075AC2F3D4D9A779D49B43BFB45A9ED6E29773A9A6FC69313A115C49A030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.979{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.956{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.948{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.935{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.916{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.839{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.833{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:23.271{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C17EFB5CF968E144BA963C0FACEA81A,SHA256=BF0B16F0CD6E0893001067CED951D6F3387B90E5864E790AE306044627FF0837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:24.875{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240055A8C12B9284B9A4D0DF2DF319CA,SHA256=C57C5D577501F72E9EAA685903653E831CF47E1404A15F92EF4D542CAAD12A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.549{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.545{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.430{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C65D76B967E69CE605158720E67700C,SHA256=3803B1536A66E7934B87FCFBA666FFE51C2641116656CF8382DCCB0C609DE594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.117{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.105{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.101{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.094{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.091{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.080{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.073{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.070{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.068{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.066{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.052{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.039{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.031{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.017{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:24.006{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000201565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:25.979{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0695C5AE05A9E82E9D029BD9DDB4F1AF,SHA256=2D8D2EA22B50F613E587D12B72697E101CE3373DC16E6E1148B0F296F782121B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:25.476{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A03C61D3E67BAAA9837FB6FF1A5AE3,SHA256=475A410926DC0ED375C1DA1548957B0B8E416D1D2D878D6280ABA58249AD841F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:25.155{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80a49|C:\Program Files\Mozilla Firefox\xul.dll+e80d2b|C:\Program Files\Mozilla Firefox\xul.dll+121ed8b|C:\Program Files\Mozilla Firefox\xul.dll+e7d527|C:\Program Files\Mozilla Firefox\xul.dll+123b459|C:\Program Files\Mozilla Firefox\xul.dll+cbbf1|C:\Program Files\Mozilla Firefox\xul.dll+c50138|C:\Program Files\Mozilla Firefox\xul.dll+c4fe6b|C:\Program Files\Mozilla Firefox\xul.dll+18cc32a|C:\Program Files\Mozilla Firefox\xul.dll+1895d88|C:\Program Files\Mozilla Firefox\xul.dll+1cb4920|C:\Program Files\Mozilla Firefox\xul.dll+1e2a3ce|C:\Program Files\Mozilla Firefox\xul.dll+1896178|C:\Program Files\Mozilla Firefox\xul.dll+1cb4920|C:\Program Files\Mozilla Firefox\xul.dll+1e2a3ce|C:\Program Files\Mozilla Firefox\xul.dll+1893c90|C:\Program Files\Mozilla Firefox\xul.dll+1968196|C:\Program Files\Mozilla Firefox\xul.dll+1b62cf7|C:\Program Files\Mozilla Firefox\xul.dll+1b59f0d|C:\Program Files\Mozilla Firefox\xul.dll+186cac3 10341000x8000000000000000292769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:25.098{30B46F62-48CF-6352-9A00-000000008B02}48047672C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:25.091{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:25.091{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000292766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:22.568{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57247-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.590{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.588{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.581{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8EFAB7652BCE4B93EA598482885A10,SHA256=F704281505D45ADBCC7E13C5F37A57243CAA99DB6B4E00FAEAEE7FBC0DDB11D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.578{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000292776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.336{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-083MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.299{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.299{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.299{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:26.287{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.960{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.908{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.887{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+44ca766|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2 23542300x8000000000000000292815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.855{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11F88D904634740DE30FFFD138A1C3E,SHA256=6093CEC597F5CCACAE01203C96EEED415E46D5D6B4FE1280A7D5429CD8323603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.762{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\formhistory.sqlite-journalMD5=2EF9421C30BAD468A1E0BF24642D1152,SHA256=8DFCA0B44CF5FC1FEF67B056D27B32C38DD837D57731629CDBD034BFF2FAC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.747{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\aborted-session-pingMD5=35F724E37CD08CB869C970DB8A0C666B,SHA256=89765F0B76B99A838256791BB8A86ED43C06AAEE7080D8256249E1F1F0BA6FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:27.072{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F66052424B582B27BBCC625A3CAEA6D,SHA256=5EA024ECF760867DA07E48810A8DCE0696274CF51A0D1C1B0A65D6B08B5E4802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.314{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-084MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.269{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.269{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.266{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.244{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.234{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.229{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.227{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.224{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5415-6352-9502-000000008B02}6524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.221{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.220{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.219{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.217{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.214{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.212{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.202{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.185{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.179{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.177{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.175{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.160{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.148{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.126{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.121{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.114{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.110{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.105{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.100{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.099{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.096{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.095{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000292863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.921{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:28.156{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE52DD182DB9BF4BB79F49CC0C24CCBA,SHA256=B620CDE08637AE1E65A883D9CD85549AC90AE3B2167A72A62D0A92CEF003D192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:25.434{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000292862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.921{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.917{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.917{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.917{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.917{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.917{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.916{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.911{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.60.1808942541\1926677580" -childID 58 -isForBrowser -prefsHandle 9112 -prefMapHandle 9088 -prefsLen 31972 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {356d9ff2-1246-4374-bb30-aa94cdcac08b} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 852 214c5c5d358 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000292854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.910{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.910{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.910{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.902{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000292828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:28.902{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.60.180894254C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000292827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.113{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local52747-false142.250.191.228ord38s32-in-f4.1e100.net443https 354300x8000000000000000292826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.100{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52746- 354300x8000000000000000292825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.099{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49453- 354300x8000000000000000292824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.099{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50648- 354300x8000000000000000292823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.099{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64870- 354300x8000000000000000292822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.098{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60084- 354300x8000000000000000292821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.098{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64325- 354300x8000000000000000292820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.097{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59708- 23542300x8000000000000000292819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.762{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93935B85519B607E75AD27962934EC23,SHA256=7E586770432A3DBA51E824081E01CE8CC528DFABC4DE3EED6B6DD7DF7C8045DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.972{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA1-6352-A203-000000008B02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.971{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.970{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.970{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.970{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.970{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5CA1-6352-A203-000000008B02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.970{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA1-6352-A203-000000008B02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.969{30B46F62-5CA1-6352-A203-000000008B02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000292922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.959{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.959{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:29.948{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-57C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000292919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:29.948{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-57C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000292918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.947{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBC3DB8E1CCF646787CC4EFEB4A996EC,SHA256=4793214A89ABB86DBEE6F5F786261B01A3DEAAADB854A9A16F1E20404CCA8B74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.930{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:29.926{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.11576933733731831334C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000292915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:29.926{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.11576933733731831334C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000292914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.925{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:29.925{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.60.180894254C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000292912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.921{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:29.921{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000292910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.227{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local64357-false142.250.190.98ord37s35-in-f2.1e100.net443https 354300x8000000000000000292909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.227{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49785- 354300x8000000000000000292908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.226{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62359- 354300x8000000000000000292907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.224{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64356- 354300x8000000000000000292906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.208{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51784- 354300x8000000000000000292905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.208{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60211- 354300x8000000000000000292904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.203{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57250-false142.250.190.138ord37s36-in-f10.1e100.net443https 354300x8000000000000000292903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.182{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49515- 354300x8000000000000000292902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.180{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63626- 354300x8000000000000000292901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.144{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58917-false142.250.191.226ord38s32-in-f2.1e100.net443https 354300x8000000000000000292900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.144{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50993- 354300x8000000000000000292899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.144{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50194- 354300x8000000000000000292898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.138{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58916- 23542300x8000000000000000292897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.835{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1F8C5933A19A6400A32AE82003906C,SHA256=F2B7BFE2AAD6D8D1C2B843A74D4FA4AE4CCE7F61ADD490452BDADA2AA1236764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:29.951{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:29.236{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FC314F963F38AEC8A6ACEB77E05AAC,SHA256=8716FC70634678B4F20249E6A5EA5C952CEB385A4139C0BD76CDD4F00A99F36D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000292896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.885{30B46F62-4D08-6352-6F01-000000008B02}2076plus.l.google.com02607:f8b0:4009:805::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000292895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.107{30B46F62-4D08-6352-6F01-000000008B02}2076www.google.com02607:f8b0:4009:818::2004;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000292894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.880{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61103-false142.250.191.174ord38s30-in-f14.1e100.net443https 354300x8000000000000000292893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.880{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65270- 354300x8000000000000000292892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.879{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51057- 354300x8000000000000000292891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.872{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61102- 10341000x8000000000000000292890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.579{30B46F62-5CA1-6352-A103-000000008B02}25164992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.416{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA1-6352-A103-000000008B02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.414{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.414{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.414{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.414{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.413{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5CA1-6352-A103-000000008B02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.413{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA1-6352-A103-000000008B02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.412{30B46F62-5CA1-6352-A103-000000008B02}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000292881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.555{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local63288-false142.250.190.35ord37s33-in-f3.1e100.net443https 23542300x8000000000000000292880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.334{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=823CC0732D4156B447BBA559B76A4F58,SHA256=956E345B9CE0318D58DE7C1F8A22A694C1BC25AC60141EDC4BD5994D30A71FEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.295{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.295{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.294{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.293{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.293{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000292874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.293{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 354300x8000000000000000292873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.437{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57249-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000292872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.425{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63287- 354300x8000000000000000292871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.422{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49860- 354300x8000000000000000292870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.351{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57248-false18.67.39.54server-18-67-39-54.yto50.r.cloudfront.net443https 354300x8000000000000000292869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.330{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50510- 354300x8000000000000000292868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.328{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61885- 354300x8000000000000000292867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.326{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51637-false172.217.1.99mia09s17-in-f3.1e100.net443https 354300x8000000000000000292866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.326{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52165- 354300x8000000000000000292865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:27.320{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51636- 23542300x8000000000000000292864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.020{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5613846A602BDABA86FEDE1FDBEF7379,SHA256=023B9693DB17A0DC2245C2A89EAA5C6F594F2069496495E2D4D3B51D7BB61FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:28.500{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57251-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:30.329{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9FE5216398D32AADBBCEDDB3422526,SHA256=415D953F58BD5FA708F05FF23B4EC002119AA3FF8DFD51AD1FE4E2ABDB67561E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.643{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA2-6352-A303-000000008B02}7892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5CA2-6352-A303-000000008B02}7892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.639{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA2-6352-A303-000000008B02}7892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.640{30B46F62-5CA2-6352-A303-000000008B02}7892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000292933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.074{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.029{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.029{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.967{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.964{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.963{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.961{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.960{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.958{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.957{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.956{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.954{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.884{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.874{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.838{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.800{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.792{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.782{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.774{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 10341000x8000000000000000201574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.753{EFF5EEA8-4860-6352-1F00-000000008C02}12002820C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D00610) 23542300x8000000000000000201573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.431{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686E18F04D4BD494873420F64DE5A547,SHA256=C8CB7D95B28369C99F041DB67E5D7C06EFBEF68CEF9904DA319871E1E2823DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.968{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C06C79A4AF2D8A8E2C105574CFA4A8,SHA256=899A945D9BCF2CD441F5A3D919552B8EB53CDAD4AE027578CA61C6BD011F9ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000292950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:29.432{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57252-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000292949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.808{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000292948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.644{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\13477MD5=431948999050FB882D23BAEE6B31E81A,SHA256=8754EDFBDE2515A933302AA8476BDB36E6BC52FCE09AB04B8169A6299F4E9ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.592{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D15853AFCE856086E3E03B1CFB9D61E9,SHA256=8C82B77E873F7CBCCA7771294E9FB831B3652ED85B09B1602C51C6097C4398EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000292946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.507{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D6-6352-EA02-000000008B02}7448C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.496{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd 23542300x8000000000000000292944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.067{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=A03FEC00F9D12081EFC43CF28CDD3F58,SHA256=0121DDD6D5518675ACFBD37FDC8A9AEEF274D3496E09017F4CAF8B49B7ACE5B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000292943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.047{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC20BFADA42DD25D5542611DD0812DDD,SHA256=6B4CAD402FA273370D4EEB40F15AC7DB402AC83E47ACB5B59B196BA936BA8B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:29.262{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000293016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBD3556E36A7B351ADF3311703A22C8,SHA256=F7C668505D7EE08ECFB9105E319F74A506CF9BE328547AFC054F4D8EC63618D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.949{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=59F0F43B49A3BAA9827AEE26F11C699B,SHA256=D7AF6764FBE0C727B1C4C0A6ED9A2C3B4E5C3958DC825C5F0F3BD17FA9257C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:32.683{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF77C40D53576725BC255E170E367B6B,SHA256=98D95025315AC78ADB2DCAFCEA721AC2EEB40608EEB22E6084AC45F136393F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.942{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57255-false13.107.227.40-443https 354300x8000000000000000293013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.937{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57254-false13.107.219.40-443https 354300x8000000000000000293012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.925{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62505- 354300x8000000000000000293011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.923{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51870- 23542300x8000000000000000293010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.745{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\1993MD5=C7D8C410F923ED2F50B9FC5AED0D1F30,SHA256=42BB1E9CCF97925A39BBB6AB26E6DF40D63131652B075D5912DF7096BED30FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.664{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A360A8C421202AECF4B85FA03854F1,SHA256=C87FCCDDD2D50E6E0D24441FE87BB46CB3CFC419145ADD38FCE083D115A4B9E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.919{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51049- 10341000x8000000000000000293007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.568{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.568{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.560{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.560{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:32.552{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-58C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000293002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:32.552{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-58C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.536{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:32.532{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.14746930705208767889C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000292999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:32.532{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.14746930705208767889C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000292998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.532{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:32.532{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.61.98689780C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000292996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.528{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000292995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:47:32.528{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000292994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.508{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.508{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000292987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000292986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.504{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.61.986897801\1601451048" -childID 59 -isForBrowser -prefsHandle 3400 -prefMapHandle 4256 -prefsLen 31972 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b10aca10-9b89-46dc-a4a0-0743eef621f4} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 8960 214d94f9d58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000292985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.500{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.497{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.497{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.497{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000292960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.497{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000292959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:47:32.497{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.61.98689780C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000292958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.544{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57253-false23.79.219.236a23-79-219-236.deploy.static.akamaitechnologies.com443https 354300x8000000000000000292957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.525{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61828- 354300x8000000000000000292956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.506{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63185- 354300x8000000000000000292955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.506{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65475- 354300x8000000000000000292954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.504{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50517- 354300x8000000000000000292953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.504{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58662- 22542200x8000000000000000292952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.529{30B46F62-4D08-6352-6F01-000000008B02}2076e13636.dscb.akamaiedge.net023.79.219.236;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000201605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:33.792{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05BBBA3EAC5D3FCDB8B0B4200339427A,SHA256=160039591A114270EB4493D97FC75E0B4DDCAC3DE45E6D23A104FF530FDDE3C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.232{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63695- 354300x8000000000000000293048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.232{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61583- 354300x8000000000000000293047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.768{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57258-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.768{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57258-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.470{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57257-false204.79.197.200a-0001.a-msedge.net443https 354300x8000000000000000293044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.457{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53096- 354300x8000000000000000293043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.457{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52582- 354300x8000000000000000293042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.454{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52743- 354300x8000000000000000293041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.393{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57256-false20.110.81.91-443https 23542300x8000000000000000293040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.494{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=50C1A334F8AF72DF3BE3D809857FD86D,SHA256=43A121BEC777DCDD9F223FA44DDF5BE3C34241549E67799E8A88B26D1C541B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.484{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\usageMD5=B8F09052FEA69C340F78244017A82190,SHA256=194AF388A850B355404F5A1FB4DF88331F9890F948A92DDBDF23E330EA5F27BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.394{30B46F62-5CA5-6352-A503-000000008B02}23086560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.253{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.253{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.253{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.252{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.252{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.252{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.206{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA5-6352-A503-000000008B02}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5CA5-6352-A503-000000008B02}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.199{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA5-6352-A503-000000008B02}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.200{30B46F62-5CA5-6352-A503-000000008B02}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.377{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50413- 354300x8000000000000000293022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.377{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59585- 22542200x8000000000000000293021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.931{30B46F62-4D08-6352-6F01-000000008B02}2076part-0012.t-0009.fbs1-t-msedge.net02620:1ec:40::40;2620:1ec:49::40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.928{30B46F62-4D08-6352-6F01-000000008B02}2076js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0012.t-0009.t-msedge.net;type: 5 global-entry-afdthirdparty-fallback.trafficmanager.net;type: 5 dual.part-0012.t-0009.fbs1-t-msedge.net;type: 5 part-0012.t-0009.fbs1-t-msedge.net;13.107.227.40;13.107.219.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.928{30B46F62-4D08-6352-6F01-000000008B02}2076js.monitor.azure.com0type: 5 aijscdn2.azureedge.net;type: 5 aijscdn2.afd.azureedge.net;type: 5 firstparty-azurefd-prod.trafficmanager.net;type: 5 dual.part-0012.t-0009.t-msedge.net;type: 5 global-entry-afdthirdparty-fallback.trafficmanager.net;type: 5 dual.part-0012.t-0009.fbs1-t-msedge.net;type: 5 part-0012.t-0009.fbs1-t-msedge.net;::ffff:13.107.227.40;::ffff:13.107.219.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.927{30B46F62-4D08-6352-6F01-000000008B02}2076part-0012.t-0009.fbs1-t-msedge.net013.107.219.40;13.107.227.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:30.549{30B46F62-4D08-6352-6F01-000000008B02}2076e13636.dscb.akamaiedge.net02600:1405:9000:299::3544;2600:1405:9000:29f::3544;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000201604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:31.394{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:34.873{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B238D0920DB3A02A752747F7B84D683,SHA256=4E625393141F70DD0618DCF8CA5FD7BA9C9C65F5BB4010A280222FF177686730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.727{30B46F62-5CA6-6352-A603-000000008B02}79885688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.558{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA6-6352-A603-000000008B02}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CA6-6352-A603-000000008B02}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.554{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA6-6352-A603-000000008B02}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.555{30B46F62-5CA6-6352-A603-000000008B02}7988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:34.254{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171EF60681610D664468B68A506E07D9,SHA256=F2603CED0E2B8B994BE36585372D1CB01E02DB07391B305385A7C74062135DE7,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.282{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdeus04.eastus.cloudapp.azure.com052.168.112.67;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.474{30B46F62-4D08-6352-6F01-000000008B02}2076dual-a-0001.a-msedge.net02620:1ec:c11::200;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:31.461{30B46F62-4D08-6352-6F01-000000008B02}2076dual-a-0001.a-msedge.net013.107.21.200;204.79.197.200;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000201607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:35.970{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E584416FC6E08C8DC4732329AD7AC47,SHA256=A0E08F82F6E16E23646AED2235E11E660C5B739FF3B57E31489D640EB218F0CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.818{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA7-6352-A803-000000008B02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CA7-6352-A803-000000008B02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.814{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA7-6352-A803-000000008B02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.815{30B46F62-5CA7-6352-A803-000000008B02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.633{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C0CC2E70230EAC6FD79A8CE9BFD900,SHA256=11823BE38E550300BD1BD61EB089EA7707F525A5299395B9BE045BD30EAA86B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.432{30B46F62-5CA7-6352-A703-000000008B02}71448028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.246{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F279983B4D2222CFCE684C016DB23E,SHA256=12C511BAE0822D2E66E0180434030C8A37CBCA7CF762AED143AE36F9DDC677E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.228{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CA7-6352-A703-000000008B02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.226{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.226{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.224{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.224{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.224{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5CA7-6352-A703-000000008B02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.224{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CA7-6352-A703-000000008B02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.224{30B46F62-5CA7-6352-A703-000000008B02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.290{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57259-false52.168.112.67-443https 354300x8000000000000000293067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.290{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57260-false52.168.112.67-443https 354300x8000000000000000293066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.278{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61525- 354300x8000000000000000293065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.278{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61976- 354300x8000000000000000293064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.276{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60653- 22542200x8000000000000000293063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:32.295{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdeus04.eastus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000293090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:36.927{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++learn.microsoft.com\ls\data.sqlite-journalMD5=929E781CDA7E5E4627CCB5A6064B52A4,SHA256=891A20A99982BDEBB4B2CD16E4473889C57CEAABA1E602E68DEE8D1343970169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:36.919{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++learn.microsoft.com\ls\usageMD5=067A56ABBF42BE9C66B467BE714E9344,SHA256=F92DA1E36FFD5F74D647A161DF7436001E2427D6C7E5EDE27446FCC4594953C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:36.273{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6203AB7492EAF2FD8CFBFD689158794C,SHA256=5E4CDB86EC32EE22B3196AF7ED0DFEFC50E88231FF7822724DCF4981668E66A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:37.293{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C33E5A90E7F42F8B5371F8B6186E2E,SHA256=1557A59D57850AFB752DDF64FF515062E1FE8D18E4F15D47C91B8F729E1933AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:37.053{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CE7CF98344176EF6F2483812B30865,SHA256=BFCDE05760FC160147522E3EFBF54F8A50F37EB159D5D31A897645DBBB5AA3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:33.580{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57261-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.505{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817FEEF88E526FEFBA527D88758BB243,SHA256=56750CEDC4E55FFBD9ECAE1D177758643D5A6BC09E676F7EE655750EB593444B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:38.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8FED8FCC6BDDEA075A3FEE95104352,SHA256=908219471D50897AB900A7652FC01F006B9D1B38EBE347E5B387D5110204B5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.441{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50574- 354300x8000000000000000293093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:35.441{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60639- 23542300x8000000000000000293096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:39.520{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AFECC3006BD4756BFDF87CD1D4C45F,SHA256=43E2F4E5D6F05EDEC41232146DBC22DD3D1063D5B795788B81B45735CB3C50AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:37.359{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:39.219{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE104B31CEF6F56AB421C52D0BE6F9A,SHA256=B29D3AEB06175DC893864E30C942D442E831CB798873A0923D2B1ECBDBE6791E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.167{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdcus05.centralus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.153{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdcus05.centralus.cloudapp.azure.com020.44.10.123;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000293102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:40.529{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F52B720D204B06D72F75E058DB97F0,SHA256=AC31DF45A09BFE1416A8C3D425B88BBDFF0C9A06EF0ABF1D0CD3238FB58DC8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:40.319{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA47CD1A2C2E6A47675D9FEA9DD941FF,SHA256=8CC0958FCE5D6064319703ED1359594EC908A2E76C82755A752F039F2D1FC2A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.149{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62422- 354300x8000000000000000293100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.149{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49179- 354300x8000000000000000293099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.148{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49812- 354300x8000000000000000293098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:38.146{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63721- 23542300x8000000000000000293097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:40.060{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:41.646{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7D5748D0CA647569B76DCA43CB8A51,SHA256=7627DCF9C42FAC7FC4EE9FCAE4E65FC891D3C536E772750EAC1B76FDF957DF42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:41.409{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342F224099AEA29F310292280242B15E,SHA256=32ABDFBCA62974A7EC483E5EB5A8C6646B198ED0B92F71FC16BCF9BB5FD9D6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:42.762{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07AABD9B772788E25633517941A3D0,SHA256=C89F60C7ED1A41A680A9DD92C12C75B22A06B3963FD4658C8C8DE09A15A37452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:42.499{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA57B605013ADCC96383444DC827966,SHA256=3BEDF6E10C84FD30298790182189E30F84347492482A53CB81CD394F78341D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:39.512{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57262-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000293115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.966{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.928{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.917{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.892{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.879{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.816{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.813{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:43.775{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1510306AD5C5088378E68B5DACE146,SHA256=C4A26072B4825FCEC4AD48B68B9849B175F85A3CF28DF0EBDA32C658A80DA59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:43.584{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C9DE2BEA618C163F4D4F53B1C18BA5,SHA256=FE44AA55E98174FE5BA9F9F0DFE51E5AB84AC3F778F3223DA22904C28BC76C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:44.658{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C1B325BD42900E7E0A879A2775EB1D,SHA256=45C1D8A135CFAE02D3F4A2886BD16689853EFE5CE3B0798E62349C766B6BF797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.796{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EDEFBAFA94610C7E5764753502CFE4,SHA256=0358DB9D140FF31AE70F22626463D0FDA8F64657F157B251F910F4F7EFDC9152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.542{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.539{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.165{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.160{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.158{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.148{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.146{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.137{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.123{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.120{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.117{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.113{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.103{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.095{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.066{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.047{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.036{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:44.013{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:45.809{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B7AD9FCACAE4563E971CD115CC9FE1,SHA256=4AE87297B650CC6EAB3454C0BD29FBC5A21442695A5BAB76C609868937526442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.744{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF13D4C618497C7A5F77D19701CDAFD,SHA256=A27553A9C792C97DFD3DAD15B413F3B8A04C44DCD30CC2455F0C21E433D38F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.635{EFF5EEA8-5CB1-6352-F002-000000008C02}28762648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB1-6352-F002-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5CB1-6352-F002-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.463{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB1-6352-F002-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:45.464{EFF5EEA8-5CB1-6352-F002-000000008C02}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000201617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:42.570{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.809{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B9D14C8C4453469181356C20DBE2BE,SHA256=3BB378A530A2B77E5C7CD66715F14596028FA9160E0AFEC40C6672CABA64AB2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB2-6352-F202-000000008C02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5CB2-6352-F202-000000008C02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB2-6352-F202-000000008C02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.794{EFF5EEA8-5CB2-6352-F202-000000008C02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:46.552{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:46.551{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:46.549{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.575{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51BFEAA3B544FA0735B17A25B7659F06,SHA256=3996D1B083BEF1C442DFFCFD8E8BBF878781BF4E9A1D4A92C3E4AD71A89132B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.421{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10C25720CCFDFEA5EC4A768DC394DEC3,SHA256=FF77DC60119615CD1D4C998EF8471B8CEA6B57520332C2711124D3EAFA9AB64B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.272{EFF5EEA8-5CB2-6352-F102-000000008C02}19482452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB2-6352-F102-000000008C02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5CB2-6352-F102-000000008C02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.119{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB2-6352-F102-000000008C02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:46.121{EFF5EEA8-5CB2-6352-F102-000000008C02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000201696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB3-6352-F402-000000008C02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CB3-6352-F402-000000008C02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB3-6352-F402-000000008C02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.947{EFF5EEA8-5CB3-6352-F402-000000008C02}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09DE789B5D2A80A680701D15EE2A87E,SHA256=83667E9BCB0B52BDDB68757A3B2A163681B47A41356AC5B8C267A9596AE683EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.690{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=19F8F8B802917B6EBDDA3602032E809D,SHA256=E1C299C5E6DE83CA077058F78198F87DB8F072DE9B6CE562F964E3588BDA73FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:45.382{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000293170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.243{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.240{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.239{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.239{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.237{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.222{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.219{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.216{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.211{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.210{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.208{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.205{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.201{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.199{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.193{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.173{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.167{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.165{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.160{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.139{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.123{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.095{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.087{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.076{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.071{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.069{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.066{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.063{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.060{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.059{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:47.030{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5194F0525BCE4246CD14C652DCE9F32F,SHA256=FF73AC872E911BAD23AA127562F5E2D04D4909C7A8E896EE827D587FDE4CB337,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.495{EFF5EEA8-5CB3-6352-F302-000000008C02}3200516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.455{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.455{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.453{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.453{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.453{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.453{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000201675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.290{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:47.291{EFF5EEA8-5CB3-6352-F302-000000008C02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:48.226{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286BDA318112FFB530A9F5ACB3E8BF3F,SHA256=7EAC75453DAF322B5D2BE15D013A9B13CFC5C7FE7B67517B6E81015D00077F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.785{EFF5EEA8-5CB4-6352-F502-000000008C02}25723036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB4-6352-F502-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CB4-6352-F502-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB4-6352-F502-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.613{EFF5EEA8-5CB4-6352-F502-000000008C02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.206{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=623A9464E665BDB54DB67A63AB8F5D33,SHA256=77020D66A9D81CC405C6A48A754A4FF37367D635D36C5ED506E88B0D9FA87488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CB5-6352-F602-000000008C02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5CB5-6352-F602-000000008C02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CB5-6352-F602-000000008C02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.151{EFF5EEA8-5CB5-6352-F602-000000008C02}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:49.147{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181A72E43B4FA5944956EA5FCE6ED37F,SHA256=795B72B36C028A4C2324550CB1897E435BC970D46AB9C42E8C125F7A606D3AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:49.263{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E229B005B256ECC52DF08D308CF7DEA,SHA256=01FE4F4C17F17763BD74786A43E63CD8CAF4454D6376207895F96FE45484DEAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:50.209{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB298CC3CCFC38C0D71FFC4669267D5,SHA256=B761900FD940C708B8823F63862A0AFF27D742F60793F141A968C3CCF0F21C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:50.276{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF122B9D2176818E2A5CC3471224CA7,SHA256=2D77006A3608BBF3C81571E2CEB1A30FF87C2A5738FD24D804A760FA65255863,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:51.569{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:51.285{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C767204FE76CCF770D50D046975C6A98,SHA256=11632F402536EBEF85AB92838F1BD110632B425CAD99452A0A1BE893179D9954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.902{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.874{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.859{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.853{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.845{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.794{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.779{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.773{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.759{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 354300x8000000000000000201728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:48.492{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:51.292{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C742B3946D49F52A3E4917F53AE596,SHA256=3C87B644BCF1ED47A488D3665F56920DF99772D7916ABA03506922B121CF8627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.398{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B848CAB32A6F33BA3E261D2C2E587E,SHA256=5AAE9077551CE12B5AB017F71E64CF7A08D935EFC54CF52A6E698E1CD43A1A63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:50.441{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:52.500{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746FE479FD7E1A1AE438AD9419E19792,SHA256=6B64C70B4CF7ED87BA33086497A8249D6C4EC2600F971E364D7CE996BE59AC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:53.559{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C046D34682B968817C0B5D7242C88A42,SHA256=0B8132B324A95CA6E0ABFC86EF141A0CDBF21F98B2EFD05317727344BED467DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.875{30B46F62-48CF-6352-9A00-000000008B02}48047672C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.875{30B46F62-48CF-6352-9A00-000000008B02}48047672C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.875{30B46F62-48CF-6352-9A00-000000008B02}48047672C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.871{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.871{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.851{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.851{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.851{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.851{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.847{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.847{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.847{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.847{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.835{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.835{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.826{30B46F62-5CB9-6352-AA03-000000008B02}9684528C:\Windows\system32\conhost.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.810{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.759{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.759{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.755{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.755{30B46F62-48CF-6352-9A00-000000008B02}48044868C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\SHELL32.dll+100749|C:\Windows\System32\SHELL32.dll+ff2f6|C:\Windows\System32\SHELL32.dll+f1bc9|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+fe2d3|C:\Windows\System32\SHELL32.dll+fe19b|C:\Windows\System32\SHELL32.dll+fdab7|C:\Windows\System32\SHELL32.dll+fd77c|C:\Windows\System32\SHELL32.dll+86fa7|C:\Windows\System32\SHELL32.dll+86f05 10341000x8000000000000000293183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.755{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.755{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.753{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000293180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:53.412{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83683212709BCD856938E21101250276,SHA256=348A470BF0C6F38E4E96ADD7DE09D191AB05B2FA0E4A60A4B0A8D189590A577A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.110{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdfrc04.francecentral.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.096{30B46F62-4D08-6352-6F01-000000008B02}2076onedscolprdfrc04.francecentral.cloudapp.azure.com051.11.192.50;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000293222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.783{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81517722BA97C1ACCECD55F640C95450,SHA256=5B6C8849658898FDBF5BF0A4B50CAE290CD7E19DC223FA241E1A9960A1C446ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.755{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.755{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.755{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.754{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.754{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.754{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.747{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.747{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.747{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.746{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.746{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.746{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000293209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.435{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B2FD7370F8A08927A07597CE7AC1CB,SHA256=45808046CF954C6D51F7E4621486D1BE0BD867C2B5152037C7D83B386B4C153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:54.639{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938843610F61BBE5793FF60A5A272246,SHA256=021D216D9D0B2B0B02CFC34778600B4767A3A9CBC02FFB68D1C689C50AE38C09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.092{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49171- 354300x8000000000000000293207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.092{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65277- 354300x8000000000000000293206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.087{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64168- 354300x8000000000000000293205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.063{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64168- 23542300x8000000000000000201761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:55.724{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7538A494238797E485F30FA2F51DDAF,SHA256=5E833E7FB9035181B092A98A38C835EDD4D7393756C5DB5D7D8D18EDE391D4E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:55.552{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30A60252BD8990AED64AF37671202AF,SHA256=6E8060B816C0249519224D3446BDE2F02C9CAE149D8A27CD3503B39EFC7319E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:52.182{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57265-false51.11.192.50-443https 23542300x8000000000000000201762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:56.814{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31F4E83455E74FEB66A2A00185586F3,SHA256=F3645644AADA9FD112D1289A7BAE780F66477F7B8EAD1F0D56B7B1406048B902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:56.658{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC26A7375A12F4525B525C594C3D961C,SHA256=39449A9C516243221336AD67FBCA33DF0E5D7029B87D4791717C73EA693E7CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:57.894{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F446AFCEB87BCE395E78D795453038F,SHA256=DA787E4BAA695AFBCDDEB4DE0D4E6DF6ECE7A6E5F613441DAB34EE55CC1F36D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:57.779{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A56E7C5E392E373E772788035FFCAB,SHA256=FEE4D8E90CDE29AA37EE554375D6EC67DA1C91CB7463D6FB1AC6E0723CECBA5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:54.429{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000293228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:54.493{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58400- 23542300x8000000000000000201765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:47:58.970{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC6B2061C79DE6EDE9A1E78BAE4F137,SHA256=4ABE7792732AC8BAC80E98F4BD2C1F721DA2F4C5359B853BCD742D9274E79CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:58.992{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B2FFAF64E1F2220CFC8E807FD8B822,SHA256=6E97403B544F50BD475F8CFCE87665B4B1B30FD97959C25EC6D49CF04E8F82C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:47:55.575{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57266-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:00.051{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F45D3052731475BA92DB78657574351,SHA256=40BF0CF99B239D80CBE5B0FA7B728F3E2F44B95ADD86DC09DF8B43B197D6B148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:00.100{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E82B8F51414A5E3529DFC5243B7F5F8,SHA256=1228A1F7D87F3CC46CDC736BC3EAF1F5FC79677F9301EF13534C1452AD0BBDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:01.128{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49656B17A166457B208E8DC1E34E5F42,SHA256=839DA89DF5400ABABC8500031601BDE0E9201E1D16CEAD317A1DDAA9FA36F7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:01.847{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7648032E00A24C3A795A18A13CD11CEE,SHA256=1CA2D3F93EAE85B582DEDEFAE46EFE634E1707234ECE73F20E6AF97D2E1CADF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:01.132{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55BF473370DB58FB2A8325C82A2A3B5,SHA256=FD719A66395F9D6149CE88C73EA17B23057BA1ACFB779A27F1F2C837031E6B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:00.376{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:02.216{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736B5575C529B5C4F9476FF8D4213205,SHA256=2CB70F275763655073E26AE131E8419668030D89295F55B29926DF5854BE34D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:02.223{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC9E7F9C5B0B989A96B9C9C901C73EB,SHA256=18E135D573FF00344CB20D6451CD6120ECCDDF7E5CCB86BE7A8558099595D1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:03.306{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11311A38841689CB1BD32C5FD7AB6043,SHA256=1AF9A21A717404102C2A17F5EF5F5166CDFC5B75E858C17CF6EEDA82AFE625E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.999{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.997{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.982{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.981{30B46F62-485E-6352-1000-000000008B02}3081312C:\Windows\system32\svchost.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.981{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.972{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.962{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000293245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.962{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2179495D3F2AAE0BD4984CBC63A41087,SHA256=DC13D1E1811528E9AEAC45D150AB2471BF5D7BA08513256FFAAF46A6BDE9721E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.953{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.921{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.901{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.891{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.876{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.862{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.810{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.807{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000293236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.277{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402E591037343C9CAF9F89F2AE31184D,SHA256=DFA444806AF3E279213F9FCA474470555D78A18CC6012CF59984E1C4E82BC804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.652{30B46F62-5CC4-6352-AB03-000000008B02}5716ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-ctus-attack-range-188.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000293275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.593{30B46F62-5CC4-6352-AB03-000000008B02}5716C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000293274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.552{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9B304801C41B9770C98B71782104C6,SHA256=D4C0E45181429A83F37300C152F80D5F3C8563D4A80EADEC314EDEEB0E2D7B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.457{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.453{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000293271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:01.465{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57267-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:04.904{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FB2EBF931BD66D2DF06CA0B37B95E09F,SHA256=3FB852AF8A4B320FC413EA912F4C2B3A199FC27991E19FDBE218E5302DBB7B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:04.388{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461D6D536B6499F69B6A81591BA89B9D,SHA256=70A706447C2A7DC2AF58E796CB0FE04ED2BF437F358A893B63BB90B48DD901BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.092{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.091{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.090{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.090{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.062{30B46F62-5CC4-6352-AB03-000000008B02}5716C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\domain.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000293265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.070{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.064{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.061{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.058{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.058{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.055{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.041{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.029{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.024{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.023{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.019{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.007{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000293278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:05.430{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AFAEEF8A8CBB712918ACBBC381EE26,SHA256=1373E497E9A31DE6C11771E7F5DBA48D1A8307292FA9EC6FEE8DFF0AF70E5A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:05.475{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95189A70FE25113CB8240447A8B794B3,SHA256=BBCB29BA9B6FB22B90B8F67D14B891FF079D827BDC2C12B04E4E2D432B6B24B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:05.110{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02817175EE581603A09E06ECE6DD96A2,SHA256=4B7B9E0E214F16170E00E7435F226AC50AA5EA35F1E67D13FCFB8A0622102421,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.128{30B46F62-5CC4-6352-AB03-000000008B02}5716win-dc-ctus-attack-range-188.attackrange.local0fe80::94c:2225:56b2:7f4f;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 22542200x8000000000000000293295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.128{30B46F62-5CC4-6352-AB03-000000008B02}5716_ldap._tcp.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\System32\mmc.exe 22542200x8000000000000000293294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.128{30B46F62-5CC4-6352-AB03-000000008B02}5716_ldap._tcp.Default-First-Site-Name._sites.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\System32\mmc.exe 22542200x8000000000000000293293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.963{30B46F62-5CC4-6352-AB03-000000008B02}5716win-dc-ctus-attack-range-188.attackrange.local0fe80::94c:2225:56b2:7f4f;::ffff:10.0.1.14;C:\Windows\system32\mmc.exe 22542200x8000000000000000293292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.962{30B46F62-5CC4-6352-AB03-000000008B02}5716_ldap._tcp.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\system32\mmc.exe 22542200x8000000000000000293291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.962{30B46F62-5CC4-6352-AB03-000000008B02}5716_ldap._tcp.Default-First-Site-Name._sites.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\system32\mmc.exe 22542200x8000000000000000293290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.961{30B46F62-485C-6352-0B00-000000008B02}628_ldap._tcp.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\System32\lsass.exe 22542200x8000000000000000293289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.961{30B46F62-485C-6352-0B00-000000008B02}628_ldap._tcp.Default-First-Site-Name._sites.win-dc-ctus-attack-range-188.attackrange.local.9003-C:\Windows\System32\lsass.exe 23542300x8000000000000000293288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:06.537{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73379963897905FE6132BAD15D303650,SHA256=C168B17FABE679E115D6C7190952C9843E13CD5814E92A7356094BCEC42EFC4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:06.513{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:06.511{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:06.510{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000201774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:06.553{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0E7EA1467CD0B5282F11E69AE10393,SHA256=A900AD5A2C8B363E74CD9A7B31552C0A3C032B0188656FC3FE030F8AE14D71C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.125{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57269-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.125{30B46F62-5CC4-6352-AB03-000000008B02}5716C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57269-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.964{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57268-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.964{30B46F62-5CC4-6352-AB03-000000008B02}5716C:\Windows\system32\mmc.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57268-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.957{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58828- 354300x8000000000000000293279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:03.957{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50426- 23542300x8000000000000000293332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.929{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF9DAD0FC2E18A5ABC3ABFF306FD83,SHA256=087EF5346EC60E808DE7DF05E29925C2289B8A14375C7A5C17D0C4359DB0B198,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:05.427{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:07.624{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453A21C63F2DB9630E86714BCEB11DCF,SHA256=410ADB8EEF70684C937B95E98EF8BB55F1612D72BBAF98405EFFED4E2DC2D52D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.128{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57270-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:04.128{30B46F62-5CC4-6352-AB03-000000008B02}5716C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local57270-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000293329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.195{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.195{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.192{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.190{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.189{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.189{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.187{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.167{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.165{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.162{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.159{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.158{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.157{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.153{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.151{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.149{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.140{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.116{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.104{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.102{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.100{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.085{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.072{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.052{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.040{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.037{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.035{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.033{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.031{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.030{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000293297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.028{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000201780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:08.713{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4B793C27F2DEF6A5C613025F760EC5,SHA256=A0F93A76AF765AF71AE9D8157B01F0130194E41F4BE13E3AC3C085D0F770265B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:08.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:08.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:08.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:09.795{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F710333992BE7AF233D52E60E46528F,SHA256=DD00E229A674CE078A1C1E84778D8BBC73557E0BFAE014D7B527CFDCE6D7AB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:08.996{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1BA4C91FA14B56DCC320640700FA85,SHA256=6DF85535249ECB3FAA63B2977985265B748F8FDBA1CBAB60B85138C45B0AB894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:10.885{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE8C4727C6A7587C2C6F2CA67CE6752,SHA256=DE75E0456FE635CE9FD318164397AFAE684248541626961476FB98B30F3F4133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:07.420{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:10.030{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370DFCF7328356271615116057F11B4F,SHA256=F4B2CFF798571B40DB71FE4F490EE65738A1666F66D5E33F8FE22456765FD3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.962{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15856FF671FE197669A3418A125794D0,SHA256=F485C6F0CE35AC7041245FF99C9B1C9903D06EECC8BE942A1D9B173B7873EB17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.952{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.950{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.948{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.945{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.944{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.942{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.941{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.939{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.938{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.929{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.919{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.888{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.867{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.851{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.802{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.793{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.785{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.776{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.769{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000201783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002540C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838850) 10341000x8000000000000000293339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.413{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.397{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.397{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.081{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7CF3738F976A55D38B229B7891A8F2,SHA256=E651A675D9C970ACFB024FDAC132F71F8A80BD92B694687796CE3672F18FB67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.531{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.515{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80a49|C:\Program Files\Mozilla Firefox\xul.dll+e80d2b|C:\Program Files\Mozilla Firefox\xul.dll+121ed8b|C:\Program Files\Mozilla Firefox\xul.dll+e7d527|C:\Program Files\Mozilla Firefox\xul.dll+123b459|C:\Program Files\Mozilla Firefox\xul.dll+cbbf1|C:\Program Files\Mozilla Firefox\xul.dll+c50138|C:\Program Files\Mozilla Firefox\xul.dll+c4fe6b|C:\Program Files\Mozilla Firefox\xul.dll+18cc32a|C:\Program Files\Mozilla Firefox\xul.dll+1895d88|C:\Program Files\Mozilla Firefox\xul.dll+1cb4920|C:\Program Files\Mozilla Firefox\xul.dll+1e2a3ce|C:\Program Files\Mozilla Firefox\xul.dll+1896178|C:\Program Files\Mozilla Firefox\xul.dll+1cb4920|C:\Program Files\Mozilla Firefox\xul.dll+1e2a3ce|C:\Program Files\Mozilla Firefox\xul.dll+1e36802|C:\Program Files\Mozilla Firefox\xul.dll+1e98cfb|UNKNOWN(0000017F81FC3F00) 23542300x8000000000000000293340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.162{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEEAD8225D526B06CC775BB7991E228,SHA256=C989AFC7C54CE3DE4BEF22648F86A169504B02727AC0678D7A23A8A04D1164A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:13.040{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A655D6EE522D7A72484391DBD25F413F,SHA256=344972AB44DFFDB2A2795CE9F59ACE7D281411FFA07458FB0701C2422351A170,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.980{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52155- 23542300x8000000000000000293344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.240{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.189{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2078B4F9DA16FF8F34DB1F0BCFE413B0,SHA256=032DD8580E4AC550AA53CB8EA38A869D67D63A9D27442E01F646022A77183043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:14.370{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000201815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:11.379{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:14.111{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BEC6968AF7AF57A3DF0492BBD9B9EE,SHA256=754A77C8AFA3763BAE9815B29C3BC36DB29540E4759D14C45A165EAF313F4BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:11.998{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57272-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 23542300x8000000000000000293346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.220{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2408200700C289576C5B5FC036CE5D5,SHA256=FAE97ED8D72DE3157E7C5400CE5C7B31EFE437ED52005799878CC2258957BD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:15.893{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-084MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:15.191{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288AC5C808ECAEFA9E137A73EC3A60E1,SHA256=731BFD162AAD8EFBB065F815A76F385277EF3FE26809B4BF79DC7294306B749D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:15.906{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF4fece0.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.987{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64008- 354300x8000000000000000293361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.984{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50262- 354300x8000000000000000293360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.984{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60130- 354300x8000000000000000293359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.982{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62200- 354300x8000000000000000293358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.981{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50282- 354300x8000000000000000293357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.980{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51246- 354300x8000000000000000293356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.980{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52745- 354300x8000000000000000293355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.980{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52768- 354300x8000000000000000293354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.979{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64136- 354300x8000000000000000293353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.978{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58402- 354300x8000000000000000293352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.425{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000293351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.285{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57274-false51.11.192.50-443https 354300x8000000000000000293350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.284{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57273-false51.11.192.50-443https 354300x8000000000000000293349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:12.206{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65391- 23542300x8000000000000000293348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:15.240{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C60F126A4DC0C3C709111BC40E1183,SHA256=B039679DA672B149797FC12B1773C2F48A191D20AE470898347193C4D8B611DB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.014{30B46F62-4D08-6352-6F01-000000008B02}2076reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.009{30B46F62-4D08-6352-6F01-000000008B02}2076www.wayfair.com.cdn.cloudflare.net0172.64.147.14;104.18.40.242;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.008{30B46F62-4D08-6352-6F01-000000008B02}2076www.wayfair.com0type: 5 www.wayfair.com.cdn.cloudflare.net;::ffff:104.18.40.242;::ffff:172.64.147.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.001{30B46F62-4D08-6352-6F01-000000008B02}2076reddit.map.fastly.net0146.75.33.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.000{30B46F62-4D08-6352-6F01-000000008B02}2076www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:146.75.33.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.994{30B46F62-4D08-6352-6F01-000000008B02}2076twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.993{30B46F62-4D08-6352-6F01-000000008B02}2076twitter.com0104.244.42.129;104.244.42.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.991{30B46F62-4D08-6352-6F01-000000008B02}2076twitter.com0::ffff:104.244.42.1;::ffff:104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.990{30B46F62-4D08-6352-6F01-000000008B02}2076dyna.wikimedia.org02620:0:861:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.988{30B46F62-4D08-6352-6F01-000000008B02}2076dyna.wikimedia.org0208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.987{30B46F62-4D08-6352-6F01-000000008B02}2076www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.986{30B46F62-4D08-6352-6F01-000000008B02}2076star-mini.c10r.facebook.com031.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.986{30B46F62-4D08-6352-6F01-000000008B02}2076youtube-ui.l.google.com02607:f8b0:4009:805::200e;2607:f8b0:4009:806::200e;2607:f8b0:4009:817::200e;2607:f8b0:4009:807::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.985{30B46F62-4D08-6352-6F01-000000008B02}2076www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.984{30B46F62-4D08-6352-6F01-000000008B02}2076youtube-ui.l.google.com0142.250.190.142;142.251.32.14;172.217.0.174;172.217.1.110;172.217.2.46;172.217.5.14;172.217.4.78;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.984{30B46F62-4D08-6352-6F01-000000008B02}2076www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.190.110;::ffff:142.250.190.142;::ffff:142.251.32.14;::ffff:172.217.0.174;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.5.14;::ffff:172.217.4.78;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000293367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:14.005{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62776- 354300x8000000000000000293366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.997{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61091- 354300x8000000000000000293365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:13.989{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61195- 23542300x8000000000000000293364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:16.362{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483F4309D61FDB5A45E5855C989F1BD2,SHA256=CEFDA44960A8F08703BE13FED13A24621BC94C0E08213594A5377F337264E337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:16.897{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:16.271{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2549F06C1C2C68A6F707C0FA60869C85,SHA256=4291083DAC6E609507B100947EA1276963D55CEADB975FC2F15A32CC19FFAC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:17.389{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B68DF60A91C18C51E10357C7DC25EB,SHA256=95C37877A427CA6382B51C3C9E675FD1FF36C05263E7C278E549375ED09595BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:17.371{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19AFA6370E09A6E48FD6183C05E2E6F8,SHA256=822BB08F703AF0259422721B38EAC4F772AF5F8F07192680F36641B98AA85543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.956{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.941{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=4A1031ED2181691D09635AF247D2F378,SHA256=75A276F05546D4B5C71277BD55A201994463C2A0ED478C8E21119A93AB6999D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.938{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=97BF064F7B5762550DE990C0CBE436D5,SHA256=0454B8398904BFC24E69E9CC3F574E343473458C2D4B41E51A96FCC3F54FCA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.935{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=ABBB1623716BCCB89E62C96878A48197,SHA256=E76CF0570173816F4EAC82BCE54473AFAF1C80B68B094C393FA9D3D138D5F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.932{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\events\newtabMD5=1AB2B68ED9F8643B97EA2ABE07A49323,SHA256=1D75B53D5C9FA1D236A2542C9407D76A1F0E12CC4DD1B21CBC30F455C75EC3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.927{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=13FE53730C274D5E4DE81A3B45B4045D,SHA256=C39AC64CA335BF72B7289A28695AFA4E1C69A86CDB092280602459D8F97CE2FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.919{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.915{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+44ca766|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624 23542300x8000000000000000293386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.844{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\formhistory.sqlite-journalMD5=E862E931C6309085977E5A5761086D11,SHA256=06221E4615649DF9562C1E2AB85F9E0AD34E27118CD274557D524C66B214A7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.399{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4B83E0BE4F06D057F7AF1492498073,SHA256=80416B8807C05CF95DDEBDC0A302EFEE8C1F5343685AAD4D6789CBB424E16D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:18.467{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6974733369906EA3D6D4C3CCF56C35E7,SHA256=992861AE312EAB3A13BC7812F40580DB788EDB4EF9828EB4115D63DA3349D811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:19.541{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB1D52AA89A73DA961E0C2056044FE3,SHA256=F47965E260B7F1E9794D29684E737A62C4E0831459839E78EA8B21E19253EA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.332{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60041- 354300x8000000000000000293435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.330{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59192- 10341000x8000000000000000293434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.961{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.958{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.954{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.953{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.952{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.952{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.951{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.951{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.950{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.62.935851879\706818272" -childID 60 -isForBrowser -prefsHandle 436 -prefMapHandle 660 -prefsLen 32029 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d381f4-db8d-4a64-a649-404993044648} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 7300 214dabf8558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000293425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.949{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.949{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.948{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.948{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.948{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.947{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.947{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.947{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.947{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.946{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.946{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.946{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.946{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.945{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.945{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.945{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.944{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.945{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.944{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.943{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.943{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.943{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.943{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.943{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.942{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.942{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000293399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:19.938{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.62.93585187C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000293398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.925{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\indexMD5=749318072AA0E44E7C851005D1997019,SHA256=EA8526EC8DFB35BE3822AC056D507FE3B197716BF52F1291D9FC0869AA74A20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.421{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021ADE03A48E625865B9E78E7DF1764C,SHA256=914F912B79E38505987B2734FB19E405F8BFA368EC6921AC49914E81CA7E6524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.329{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.064{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\pending_pings\39a34ab3-44d6-4f07-b261-933fa2a0f4c9MD5=389077525DB06136C7AD20F888710008,SHA256=DB49E63FB167EA47D8D690884C84BFB2DA2CC8FFE6FCEF3846A5BF2A1DFC4247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:19.369{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F1A7C17B3463A22D3E8CEA926B20BEAB,SHA256=9E73CEF853EC9AD5FEBE01FC92A14824D481AB1A6B3799424A427D57818CC95F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:16.542{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:20.648{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96F2D0702D4981F4B02E313A05DCA49,SHA256=97CECEF7A1E72DEA3B6096308E311BA573163B7BCB8D08C94341FCFE43CEC50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:18.458{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000293460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.459{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.459{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.459{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.450{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3245CD5601E8537333FCBD441A02F6F3,SHA256=45934746EBC3C23DAF97752BF562B4F5C6BAC76EB6C20029AABA0254EA534703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.364{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.364{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.364{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.363{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.363{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.363{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000293450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.320{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3D5C1F89B469BF58AC951C46F1BB6C,SHA256=14DE5E816EF56141BDFBDAC9C476EB9CD8C4B63DDDA02E72300DE26DE25ECB53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.129{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.125{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.117{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.117{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:20.094{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-59C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000293444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:20.094{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-59C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.074{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:20.070{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.3459978300107643719C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000293441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:20.070{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.3459978300107643719C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.070{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:20.070{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.62.93585187C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:20.062{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:20.062{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000201830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:21.725{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4554F48458D316C6AC2EC059A1D0673,SHA256=0022D056A763496BE64C3C469C15BB772181FD37131CBB5D945C063143D0BA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:21.459{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B7A267F48CB7FEC09DD99BBBCBADC2,SHA256=9C3AC07F792812204E05EDFF22EBF716E33E82384E9E82CE35CB2CABD3F13E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:21.117{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1096AFE35F390411EA3BD94449FC834C,SHA256=118E280672DB09554F550759ABB0360BC777ED2EDB64511E4FF4A5B3500167BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.317{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61517- 354300x8000000000000000293464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.313{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63977- 354300x8000000000000000293463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.281{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59604-false142.250.190.78ord37s34-in-f14.1e100.net443https 354300x8000000000000000293462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:19.183{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59603- 23542300x8000000000000000201831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:22.819{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7294B9B959D74B68F5E25B7D3C98AA5,SHA256=E2FF6A406C77DF6363358325672B2BDC105803D7880F8C025F7686D038344C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:22.576{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565084AD53AB81108BDE4EB7409163ED,SHA256=B23A9DF8D15BAD8CA464F1CD4F5A62277216FFF366102393804659D2D5E06111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:23.900{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECFC8C25F7F6D8D56D6BDDC9BB065D1,SHA256=904C94DB5423301EED8675E7738FE1CB089FC6881AB9480FAB54ABA1B241FF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.996{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.994{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.989{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.987{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.979{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.973{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.969{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.968{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.966{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.961{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.955{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.943{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.936{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.927{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.917{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.888{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.876{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.869{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.860{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.852{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000293472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.833{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\31723MD5=B3B00537E300073F6565158B534BBF15,SHA256=1337428E82FF12F40D135D7283848BF07CAA2984D680C723A7108062D5A2B00E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.812{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000293470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.809{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.589{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B3F3C4A05DBF4487EB18A6AB9C158F,SHA256=D8134E30696D5FE4B9EDB7C240CEC360445DF661A8862C98619A8A92AF64AFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:24.987{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE12E2CEF36F24C792F6DD5E9A00EB93,SHA256=27E44FFEA09AAFF6FEEE6A7738C6CECDAA6870972FF1CD41E611077A83B6F666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:24.607{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=A49466CC5BE882C5C635EB94D876C853,SHA256=89DC50ED5013CC55E69FEAB3E50C92ED1D88949D28355085F9A7645747D7B8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:24.599{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\usageMD5=5D456D675D31A76D499E6EE4F8737A2D,SHA256=7ACFEF8A5EA593020FAD489203C41A933173D3F951194188CC2FB94D8CB7C7E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:24.410{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:24.404{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:24.001{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000293499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:23.523{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:25.075{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735CC19F899C5EE187DAD57DF315E1C2,SHA256=A0BE692E4B5DB424A25C44DE8F94835F20E343714C6E7E986B2EF534F86D75E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:22.516{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:26.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7315ACD4018A5A0DB4BA9F3CE87DFA13,SHA256=15F659484C874BBB82BDDB848097B361D4286EFDC62AF77D77911B869A556904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.976{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.961{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.947{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.942{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.941{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.938{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.935{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.934{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.932{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.931{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.424{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.423{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.420{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.302{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.302{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.302{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.286{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:26.132{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD676BEEA5E359A3281B69725E44532,SHA256=406CAA3061F9E384B127808DF979FC2F33280D2D7B30AC9B6956507012BA96EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.821{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-084MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.710{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000293544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.710{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.710{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF501af5.TMPMD5=EAF3A174E348F5C24750BECE2A0CB62A,SHA256=CA3D56BF863CB31DBF16DEC6D06FB158A533AB46D826221E6CF9A4CC7EFAF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.645{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15F92BD46BF89A52379CB490B51FCDD,SHA256=046A2523E3DFE32FCF61B30CD9EF0DCABBFFB1C8B25215DBA63C0FB1F1171BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:27.172{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E27F860A76FD9C9E65C09C9D3875BAE,SHA256=FEF84FE33532E1EFA408DAE29E515DB68B4F6D13E4F25AB3C9BE0BF1E0A7257D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.168{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.165{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.164{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.161{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.158{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.157{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.157{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.154{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.133{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.130{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.124{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.116{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.115{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.114{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.109{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.106{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.104{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.095{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.067{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.060{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.058{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.053{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.033{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 10341000x8000000000000000293518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:27.024{30B46F62-486C-6352-2D00-000000008B02}27203396C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013900850) 23542300x8000000000000000201837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:28.250{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357D77AC057977DB888DEDACB6BC0638,SHA256=C2B8D51BCFCA0F14C53CE78ABE102E6E5BE0DF9F51281102A716911DC8526578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:28.822{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-085MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:28.684{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63CB00A53F96645BBFF6FB63FAE317,SHA256=C63B948DFA80FC6E5E00D793F7E8F7F21C4336A7D25A6C97589CC33DC577C056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:28.664{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:28.664{30B46F62-485E-6352-0D00-000000008B02}8885436C:\Windows\system32\svchost.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:29.970{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:29.335{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10229A90638246F6DB60FD38F11BA5D3,SHA256=A2A65A52814790989EA985630C7165E40DFAF7AB66DA5C38C6CB491B96DB5A7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.781{30B46F62-5CDD-6352-AD03-000000008B02}78686584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.702{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510D14984EBB8DCD48FCF81B0C72B30B,SHA256=5589AB3D6606DC2DE44404049BF2BE601BA10DE159EF0749B048FDE07AA99DFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.566{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CDD-6352-AD03-000000008B02}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.563{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.563{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.563{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.562{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.562{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CDD-6352-AD03-000000008B02}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.562{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CDD-6352-AD03-000000008B02}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.402{30B46F62-5CDD-6352-AD03-000000008B02}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.741{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CDE-6352-AF03-000000008B02}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5CDE-6352-AF03-000000008B02}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.737{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CDE-6352-AF03-000000008B02}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.738{30B46F62-5CDE-6352-AF03-000000008B02}6300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.721{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F1FB94D59161A0F858EA47A06925F0,SHA256=D75E9B869BD09356E8C95D5A5F29841FFE8B8D0A18CD32040DD034113DBE0C08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:28.477{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:30.434{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD71D44DA4F6EF262112911BD6D89448,SHA256=95BCA5218965DC6833B9530CFF0500B0E30891DB6A0668363544FA3C3FD3D1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.459{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8367B3A6C10B2C1E96A7D38C6E69570F,SHA256=D2271951ECAB305B56D7B1D68CBA7CF2119DEF48C1AD9B1BDFC5CEC413BDCE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.436{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F96394F2DA613E229FDD6989BA22F89,SHA256=AE1EBE6A31758C57C5CE5859CDD20FDB1EA5D4B6BA6B52ECD643590C57190AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.192{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CDE-6352-AE03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.190{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.190{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.190{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.190{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.189{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5CDE-6352-AE03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.189{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CDE-6352-AE03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.189{30B46F62-5CDE-6352-AE03-000000008B02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:30.091{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:31.949{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06A5582C640CED2540F56055F9F5D619,SHA256=5F1EA910D83940EFE2C1685648AAD2E480B9F2954881952AA5908B0B6569C0AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:31.917{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=962E533C3B3705FD6F8E3FD49CAB3986,SHA256=806B4A8AB9C796120C6FFF742C11FB5C832A72AC3D1B5050A629FF3F2DAC4D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:31.844{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A03D7A3C1189E641D0CFDD56F20C75,SHA256=704D0C3C603B20D7476F4A37DE4FC087723701442EB463267C4AEC64D1643471,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:29.441{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000293581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:28.548{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000201872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.943{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.939{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.937{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.933{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.931{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.914{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.900{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.881{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.869{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.855{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.847{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.840{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.800{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.794{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.786{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.773{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.766{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000201844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.763{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000201843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:29.265{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000201842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:31.510{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244263E641B2CB23019DACA9340AE334,SHA256=42271B66C7D98284B280CC4E3F37D2005AB3A439F34D7BF741B28DC0E4719F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:32.646{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D77E7C50AE61BCF6DA5F4EBC3CE6FC4,SHA256=23A5CB80922487BB4E635F1959F990F0CE7A8D5AFEFE18C0008973303B6D6B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:32.862{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A026F052543EBD0BAE1B0440340B2F02,SHA256=C73CEFF3B0DE62CA8B8D5286DAE54EFFD7B2F2D36A88059894EE9EA9945A4E7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.980{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.980{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.980{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.976{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8F0CA6965B93D37775BD5A456CDA81,SHA256=F1C2FDFC4DCDF30C9661B14E909134B2B7C994DF04A18FA9E7DCEA95F250A4D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.976{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.976{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.976{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.976{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:33.779{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3A9AAB768CB06B80ED84D2C1D8D2C7,SHA256=F12E8FA28897D880621E786C14824F16F21AEFEAA0618E764836BB7FF29481E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:31.768{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57280-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000293596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:31.768{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57280-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000293595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.451{30B46F62-5CE1-6352-B003-000000008B02}81607488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.199{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CE1-6352-B003-000000008B02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.198{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.198{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.197{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.197{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CE1-6352-B003-000000008B02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.197{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.196{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CE1-6352-B003-000000008B02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:33.196{30B46F62-5CE1-6352-B003-000000008B02}8160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:34.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982678A0C35CA8A76D8C10FC72AB77A7,SHA256=69DE9BAC913281A03451C47EE9C4BDDC5FB4571244DFC843D88E00B6FC629F14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.713{30B46F62-5CE2-6352-B103-000000008B02}24286436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.501{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CE2-6352-B103-000000008B02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.501{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.501{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.500{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.500{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.500{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CE2-6352-B103-000000008B02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.499{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CE2-6352-B103-000000008B02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.497{30B46F62-5CE2-6352-B103-000000008B02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.842{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CE3-6352-B303-000000008B02}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5CE3-6352-B303-000000008B02}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.838{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CE3-6352-B303-000000008B02}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.839{30B46F62-5CE3-6352-B303-000000008B02}7216C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.596{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0267E19A41B4E65F759C84023433172C,SHA256=9BC66627C61C950738E293E9DD86272AD042C2934B6154457CC55D18FFC3C3CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.346{30B46F62-5CE3-6352-B203-000000008B02}67121660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.202{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B6AEFCD8108D2AB2E6252644FC51AA,SHA256=7EBAC27BA4914581376A4A3450E449FE3A10D9DE9D993585630FE1BBC461A2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.165{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5CE3-6352-B203-000000008B02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5CE3-6352-B203-000000008B02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.161{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5CE3-6352-B203-000000008B02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:35.162{30B46F62-5CE3-6352-B203-000000008B02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000201877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:34.467{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:36.052{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9626A6A4F68B5FB8A21E3F8D172FCC49,SHA256=43D40A8372049778306ADBF28A7DBF5B0F04D055181B2ECA97B619A04B4DB88D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:34.444{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:36.227{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9DFED419E30F39982FB4987A77CE5B,SHA256=1436B9DB405727B7A9CD465892114D8F5545AD19703DBD245760E355C15A6BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:37.236{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD2153006BAF4CB573C1D58A1F01BED,SHA256=F3D4B18447F2C8CD8C654CE64DB8D743F9A6C1D4A15840EB966D6AF51263BA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:37.141{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75940FD011317B4140BBB626377B239E,SHA256=14137427AF10C331CF5B37EB85E5C75D258A0DCC89D805F355DE0148799210E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:38.350{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC92123B1F2A488945E70CE7259A2D,SHA256=3FA16A6A222599FA49E296F8D172EE8E7E7889175CA00B71C083C4073AC3CAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:38.212{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584FE3A9D7ED8ECBCCD10D0F15AF5620,SHA256=02AC6477894546D2E79AF9BFA4DE294B128D82F1FD56717E8497E7C156BC71F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:39.567{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B18415F7598FA19AAA28797ADD6CCB2,SHA256=84E3BEB76CC436366DF389D89D948444794A19FAA07845BC78C9FE4B99241665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:39.292{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D922ED5BC266B63876DC7EEDD9076595,SHA256=7F5B8673809BF5D8D8B9C7FEC1770ED28A210A5A06EDC1B88AD1115C0044BB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:40.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1E2FC096D767B4EFCB3F17F133C4AC,SHA256=C0D849F022D4593E1CAF6E661533DFE9DAC162D0F56922FFAFB606F35AB8FA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:40.373{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331DBD558B1B4A42EF31D1873B6697A0,SHA256=078632FCC0D9B5C593BD1B0A5C24EECA1B5404AA0983F0D631F965A51F92A045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:41.455{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060841A881F2D9D478DB98FC9056D9CE,SHA256=8A6A68D465FB374026731E1AAA1B7D68CA893A8FB31AA0E819F4C5B737628CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:41.786{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3CC9E61EA96C380ECD98C1D383B22E,SHA256=D9C18CAE381D2A1F6FBF768E5A1D068CED38E999DF74BE083B2DFA8522F12C29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:40.457{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:42.549{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A942BCE92BE8D0BA396E9B9F8AED487F,SHA256=935853F9EDBDC3CCF238843F94A19D7A2D2CA7E447EB6D07019EDB54755FAE27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:39.599{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:42.891{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC9645F4E0224E861942B9DD184EFEB,SHA256=AFB23D6B1BE6977D6B6E73434AEAECB6323D9BE801F3BB5784A55C000CA4DD24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:42.101{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:42.090{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:42.090{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:43.611{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD296584A550ACBD8D08186410EEEB9,SHA256=655707FA3FDF3AFF58B2C6D8CB557239F7D2C55FE071BC8F7E483F210AC201F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.983{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.970{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.958{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.948{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.921{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.910{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.902{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD932D2C9C87DC0A38BB2713DF0195D,SHA256=EFD0F9C20374B1262FCDE5473E61450B8522D8FC4F6DB0D299F59012E25E4EB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.901{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.891{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.882{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.805{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.802{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:44.698{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425A4534E2B7761188FB838E84B00146,SHA256=B3AA57305C76283A18462DA8DCADEB16E0595CC1169C96F5BA9B8265FFE72813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.917{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721D3343AB7F9D08AB032ED3F807C9DA,SHA256=7743637A6299B3E66165167ED391DF9241EDD741F0131958A2267A3089560E45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.457{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.454{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.062{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.056{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.053{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.045{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.042{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.030{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.022{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.019{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.016{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.014{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.005{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:43.999{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000201901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.787{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FCFBBD8B949D6498520724BC1753CB,SHA256=5E8363BB0ABE3CB77D7AF4D82266B0944C6E12648D8726C5CABCDC346F356454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.631{EFF5EEA8-5CED-6352-F702-000000008C02}39443144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CED-6352-F702-000000008C02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5CED-6352-F702-000000008C02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.475{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CED-6352-F702-000000008C02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:45.476{EFF5EEA8-5CED-6352-F702-000000008C02}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000293687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.311{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64681- 354300x8000000000000000293686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.310{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51262- 354300x8000000000000000293685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.265{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57283-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.234{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58402- 23542300x8000000000000000293683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.933{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A001F7C5D85C14869110AA4B282C1947,SHA256=3ECA026E59C3B76FB242F259241223E495C9F7669D854E67864604A804511C9E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000293682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.524{30B46F62-4D08-6352-6F01-000000008B02}2076cds.s5x3j6q5.hwcdn.net069.16.175.42;69.16.175.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.523{30B46F62-4D08-6352-6F01-000000008B02}2076code.jquery.com0type: 5 cds.s5x3j6q5.hwcdn.net;::ffff:69.16.175.10;::ffff:69.16.175.42;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.315{30B46F62-4D08-6352-6F01-000000008B02}2076ocsp.comodoca.com.cdn.cloudflare.net02606:4700:4400::ac40:9bbc;2606:4700:4400::6812:2044;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.314{30B46F62-4D08-6352-6F01-000000008B02}2076ocsp.comodoca.com.cdn.cloudflare.net0104.18.32.68;172.64.155.188;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.278{30B46F62-4D08-6352-6F01-000000008B02}2076answers.uillinois.edu9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.247{30B46F62-4D08-6352-6F01-000000008B02}2076answers.uillinois.edu0128.104.22.136;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000293676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.246{30B46F62-4D08-6352-6F01-000000008B02}2076answers.uillinois.edu0::ffff:128.104.22.136;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.306{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.108{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56DE-6352-EC02-000000008B02}2168C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.101{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd 23542300x8000000000000000201931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.992{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F57CB0BBCB29F8077A5A606C5D68088,SHA256=69AD3F4EB14BA427ED711DA2091CB6DD1EB4BB50834C07DA4DCE3E2B6A69F993,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.985{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.983{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.982{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.980{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.979{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000293766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.842{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local59636-false172.217.4.46ord38s18-in-f14.1e100.net443https 22542200x8000000000000000293765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.526{30B46F62-4D08-6352-6F01-000000008B02}2076cds.s5x3j6q5.hwcdn.net02001:4de0:ac18::1:a:1b;2001:4de0:ac18::1:a:3a;2001:4de0:ac18::1:a:3b;2001:4de0:ac18::1:a:2a;2001:4de0:ac18::1:a:2b;2001:4de0:ac18::1:a:1a;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.732{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.732{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.732{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.732{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.732{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.731{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.472{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.471{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.470{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000293755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.773{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57292-false172.217.4.46ord38s18-in-f14.1e100.net443https 354300x8000000000000000293754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.773{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57293-false172.217.4.46ord38s18-in-f14.1e100.net443https 354300x8000000000000000293753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.672{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59635- 354300x8000000000000000293752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.671{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61962- 354300x8000000000000000293751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.669{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65154- 354300x8000000000000000293750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.644{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local49485-false142.250.190.72ord37s34-in-f8.1e100.net443https 23542300x8000000000000000293749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.266{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3C704B8BE83F263849AB5281364B42,SHA256=7759D24436DDAFB8F93E134889084A9578AAAE53935085276B77710015E7E970,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.545{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57290-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.545{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57288-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.544{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57291-false142.250.190.72ord37s34-in-f8.1e100.net443https 354300x8000000000000000293745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.544{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57286-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.544{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57285-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.543{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57287-false128.104.22.136answers.uillinois.edu443https 354300x8000000000000000293742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.533{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57289-false69.16.175.10hwcdn.net443https 354300x8000000000000000293741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.521{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49484- 354300x8000000000000000293740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.521{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62447- 354300x8000000000000000293739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.518{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58403- 354300x8000000000000000293738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:44.320{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57284-false172.64.155.188-80http 23542300x8000000000000000293737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.197{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=BB070E64A29CF3CF53B726DD0795C99A,SHA256=030BED8D5E46EC0032452892A3C566BC6A85BE2859D0E23CF4324CD096E25742,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.185{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.185{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.177{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.177{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:46.169{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-60C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000293731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:46.169{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-60C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.153{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:46.149{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.10580566893519351672C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000293728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:46.149{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.10580566893519351672C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.149{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000293726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:46.149{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.63.91729807C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.145{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CEE-6352-F902-000000008C02}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CEE-6352-F902-000000008C02}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.696{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CEE-6352-F902-000000008C02}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.697{EFF5EEA8-5CEE-6352-F902-000000008C02}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.649{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594FCED894754F149B2CD37D0A0A8EA1,SHA256=94AF042E54A93C6E9DCA7DEC9640375A3C2D4089859A6F026F9216C27C4AF545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.325{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=176F989490B111350886DB47AFEE9866,SHA256=418B8C52E7F0F5E45419BD7D837B20B6FF361D19EC4E2C30234C060CEEF2E753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.318{EFF5EEA8-5CEE-6352-F802-000000008C02}27282036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CEE-6352-F802-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5CEE-6352-F802-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CEE-6352-F802-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.147{EFF5EEA8-5CEE-6352-F802-000000008C02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x8000000000000000293724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:48:46.141{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000293723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.121{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.121{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.116{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.116{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.116{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.116{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.116{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.115{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000293715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.115{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.63.917298072\1119532810" -childID 61 -isForBrowser -prefsHandle 9144 -prefMapHandle 2596 -prefsLen 32029 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {795ff9ca-5597-42b7-bcb9-13f5298fd7d4} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 5232 214dacbf558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000293714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.113{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.113{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.112{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.112{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.112{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.112{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.112{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.111{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.110{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.109{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.109{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.109{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.109{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.109{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:46.108{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000293688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:48:46.107{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.63.91729807C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000293841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.105{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52872- 354300x8000000000000000293840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.105{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61762- 354300x8000000000000000293839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.080{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61135- 354300x8000000000000000293838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.080{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52872- 354300x8000000000000000293837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.079{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61599- 354300x8000000000000000293836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.079{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61762- 10341000x8000000000000000293835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.459{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.455{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.454{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.452{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.449{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.448{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.448{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.446{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.443{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8832E56549EC25DEC5530E5794FF2DB5,SHA256=503AEA9E606F420EF780FC420CCDACA7C7C5BFC03CD21635582A7D3A62D77E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.431{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.427{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.422{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.421{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.420{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.417{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.414{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.412{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.406{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.386{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.379{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000201944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.367{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CEF-6352-FA02-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.364{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.363{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.363{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.363{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CEF-6352-FA02-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.363{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CEF-6352-FA02-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:47.362{EFF5EEA8-5CEF-6352-FA02-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000293815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.377{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.375{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.362{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.354{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.325{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.320{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.314{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.309{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000293807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5737A3848B61723933457C93646764B,SHA256=254B7F81C1682049B9715765720FEF8698EE35B968F65107B59899CE4962ED9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.308{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AA9351CC0F18E5F0EAC9FC88D5ECD7,SHA256=E678A7454D72CF1B3C723CC754865108F9518A5CE9AAB7405A7FA592C72B21CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.307{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000293804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:47.298{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000293843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:45.479{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:48.016{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D740FFCF6B3F939ABC8EC8187086A8AF,SHA256=7880FEE4C09381606E1DF52F30FFB3580438601F47B37248872841510880DCA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.869{EFF5EEA8-5CF0-6352-FC02-000000008C02}31921440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CF0-6352-FC02-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CF0-6352-FC02-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.713{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CF0-6352-FC02-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.714{EFF5EEA8-5CF0-6352-FC02-000000008C02}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000201959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.182{EFF5EEA8-5CF0-6352-FB02-000000008C02}9043420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000201958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.071{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29945735D3F13F76510C4FC5E2AAFA1A,SHA256=AF499D9BAEEB6CF266660BD9EDF3DBC9C276F8EEE7C5CD9B2ABBB5AA172C6CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CF0-6352-FB02-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5CF0-6352-FB02-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.024{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CF0-6352-FB02-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:48.025{EFF5EEA8-5CF0-6352-FB02-000000008C02}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000293844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:49.137{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BBC6C7012686B91A8FA55663BE7DC3,SHA256=D9D504AB5F624E86E1FA95EDBC07722EB269B5F8A46DE078C29E4A37264A254D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000201989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.538{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A1BFFF97BBA41EED1CA6F67A66149577,SHA256=3E3824B8344B42E176A8BB297068A43B709D0BF43DEB14CAF459C6EB25E695EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000201988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5CF1-6352-FD02-000000008C02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000201978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5CF1-6352-FD02-000000008C02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000201977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5CF1-6352-FD02-000000008C02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000201976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.246{EFF5EEA8-5CF1-6352-FD02-000000008C02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000201975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:49.243{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB6E013B6917E3FFDD5933CE59B7970,SHA256=B72651044A970F2694D64B48821C0157DA7D47C5A3A0B945668542BA019CC00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000201974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:46.381{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000201990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:50.221{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FF920B224E71D26E94CD82641D18C9,SHA256=2019B008DA852447434ADF002336C6D084220EA68836CFBC760418F116DFE850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:50.249{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ACE261E73964E10B3D37281BA74C90,SHA256=1A038D631A3D5D6F26C0C91609481EBB196B4627072C7BE089DAD1E7BBE9ED41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.926{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.924{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.918{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.889{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.878{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.876{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.849{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000202000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.821{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.799{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.792{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.781{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.770{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 10341000x8000000000000000201992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.754{EFF5EEA8-4860-6352-1F00-000000008C02}12002816C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838F10) 23542300x8000000000000000201991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.297{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE3099AA22DACDEB0CE898660CF6253,SHA256=E0CA04B99F05358960FAECC4C8293D7F5DBBD441DCFFCDDF782C8019A0BE970F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:51.442{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=0232F6F7DAB29B465C370523B448AAF1,SHA256=935402FBEE449AFC938327A8BDECBF9947D07DCE469839F917AE3FFB07CEB4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:51.370{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F2347019958F766EB81E1AAC807521,SHA256=1A79EA2A6649FD60847184122FDA40B2E5485D097567CC891B42C15DCB162FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:52.692{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1034A6A37B562135885669FFCC8319,SHA256=FD9542CEB271FB4543C63E67EA79822A96310E8006FBF9EDE792BDE2E4CE5459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:50.577{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:52.476{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5898962FC05F90E6C957C4FF441533A2,SHA256=77EEE8926DA617F4CEC48920B58FFAB8C2C13A036912ADAAE75EB4CEE187D9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:53.778{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F7E19250638F8ABB158D0A81EB544B,SHA256=07CBBB548E7D389B5F15FBDF41F972E4E205C44AEAC0BE945F248A064C50F9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:53.485{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFCB44A1ECC0378B01F8F8587E524C9,SHA256=8473F2AFF7365238AA38349282565557B80B7F671F1DC84B904F64101CC32B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:54.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C2816DC5271A9A7951D3816BD8FA9A,SHA256=F45E32249CC165C65192F0AA912D4F85B5C84231EE83233E31B014504CF03452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:54.506{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCFF52FBAA4C2F4D271072347F5C3A1,SHA256=3AFF03BC2C71E3A756AD7140369D74A0F85955AED3B91BCB2561FB38F3CD033F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:51.525{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:55.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B44B7FDCE182E3DAE9F13BB99CF93,SHA256=32EAEFE8EA6CC7EA33F8E8F100FD7115A48E3E4E1660E177F5820203399EE4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:55.622{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA28A9DA69B297F7EB9DCAB7E355BB07,SHA256=50ED5A0F132DFF3AEA2381D0D1E28473B8D647DE179F227E1644169283AB3450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:56.643{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB638B2E91DDFF0576F1BB82218F744,SHA256=C08FBDCB656C39260B0084962B1C5002D6895985F9907A1C03592D4BA61D44CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:57.655{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DC63F091F81BE9185806789C295C82,SHA256=ADB3AF82DF046B67B3C9239D9D5192EBA35E1CF3CD4FCDA5FBCF9C5135A81DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:57.029{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1EF2853C74E94E99CB21123D741668,SHA256=015643EB317124B1B96C19CEF4069689AA8B7602F94F96B10A1ECE68F9E5646E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:58.668{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781FB35F66516CDB6F5F8791E7AB78BC,SHA256=F84408AB70C360FFF039340D1343044F74B1432FBF95AC79525A44D81A17819A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:58.131{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB540533B75D8D0C199F35165C4D6BC9,SHA256=B47949F3F2EFEEEFF71EAAAA2EEE3384DAECDD0867861056F08F40C981F271AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000293855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:56.446{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:48:59.677{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46620D30C83BD4DE95713A06F4570155,SHA256=F8FA3C4DE3669A12784A10513444D50E63FDCE1565D2B0F15CD160CF02EAECBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:59.216{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97935BD1E0FF30119BD454A7C96AD3E,SHA256=72C99D74F78D95EAE4636719C70FD005C1D60899076A1AFFBADF7B15E2979F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:00.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5170AF667F0EA08C00DDE3A93F682C5C,SHA256=D8EE4985D1867A6C841F47C28634B2BFC9C450FC1DBED50C20D47C55362E3C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:48:57.441{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:00.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88756DE5E26CCF5A29AE5087815A99B1,SHA256=2C3DA3A53D87D915B9F14566D9D264E9C7283EE385291A4D3AE86058F08B06A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:01.370{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A392639F4F4B1B7F326C486E05998025,SHA256=47AD8CAF9DA9485FB5712E6033E25E7CE931BFF96C3D230A6AE645F85E8AC19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:01.957{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CD44448DDAA5873F6C7DEFD2F7734BD2,SHA256=2699282068654263295C7D0F7CB92459E28688B8D937A417F0EE09BDA9FD4C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:01.689{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1F4DCD94F860D0E2C8EA3831AE2E2E,SHA256=14CA96C70F1BD513C52AAD7CFD432357C33F83E274414683F42B137B1F7D53BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:02.467{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BB6772932193B7A7A23209730C8C04,SHA256=8FC367A5DFF63019D43876AECE1A08AF80EEABACE7CE4E915E113B98481484D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:02.699{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB11ED46CE7CBEF9C9F23A214E36AD5,SHA256=4EE03512852340E703931FBB86E4624A13F134285322647002B87778CB3A9AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:03.571{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6685B4743BCC8B847E09670AE9EF0323,SHA256=792788C61A41FAD97D136C92E8AD952186BDE77255900A51145046D00CA6A778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.995{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.990{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.984{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.980{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.975{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.970{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000293874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.959{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1854C0171962410D2F3E2296DF533BF4,SHA256=0BE3FD6E2FBD606C0A08E137F294CEF03A0825C8075177865D0CD489510D1579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.955{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.943{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.927{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.917{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.890{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.876{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.869{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.859{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.847{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.804{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.798{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000293862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:03.710{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF38742AACAEFF3188F8EBB15A62B961,SHA256=D02E70925305304D40207DBEECC92B8089FA0C87370D43D8EE87920479771609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000293890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A0633D90D8A159C0CC7FF6DC54543C,SHA256=C4FC384E159220FA8CC1BA62BBAFEC695D70FF7C6AB970953EFB68D15A876F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:04.910{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=01131D1330B04D723E65B10C9B281B0F,SHA256=1B149013661A411B5F66637AB33C7FCD5270B9D88B984321C0AB148397731B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:04.660{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD16229A0A54D985B43F70E60B872589,SHA256=F8E6EC742F8318BD767DBC86E85A566E6232BEF1ED16F72515CE2B408EEDA8C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.518{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.514{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 354300x8000000000000000293887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:01.553{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000293886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.031{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.025{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.023{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.016{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.015{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:04.002{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000202036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:05.760{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAFBC5BD3463910F3D39A3BCFCCD6F5,SHA256=7BF5BB9166B09589284D94A12B6D96B1DB2B0D31487FA3D209677F71171D87E9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000293900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000293899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0050acb5) 13241300x8000000000000000293898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e521-0x97822805) 13241300x8000000000000000293897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e529-0xf9469005) 13241300x8000000000000000293896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e532-0x5b0af805) 13241300x8000000000000000293895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000293894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0050acb5) 13241300x8000000000000000293893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e521-0x97822805) 13241300x8000000000000000293892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e529-0xf9469005) 13241300x8000000000000000293891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:05.011{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e532-0x5b0af805) 23542300x8000000000000000202038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:06.844{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F051133F1DB02A0C4703309CBC72D5A5,SHA256=5335E19A65EEC83A55540F3BFEEE3FFA123FB29DFB609E2042FDFB46461ED46A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:06.524{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:06.523{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:06.521{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000293901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:06.048{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05B8D3A8D878D12FD975077D4D71278,SHA256=B87C178C47081D292C58C3E0D369EBE9914F479DFE7E1F19F0277784CA8E3B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:03.366{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:07.938{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6984B570013478BC6CBB5639EA9E81,SHA256=1090DDF30A3F9854BCACDDA4C029911E34343E7904D802FC9E4FE77151B071A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.217{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.214{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.210{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.209{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.207{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.204{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.203{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.203{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.201{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.181{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.179{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.174{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.173{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.172{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.169{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 23542300x8000000000000000293924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.168{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1959D52990C5275B2B673FAF924413,SHA256=888570A03EC5C015F46291EFEBC647A739920A7F48FB377C7340B199AEC424AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.167{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.163{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.155{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.133{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.118{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.117{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.114{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.098{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.089{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.055{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.049{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.042{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.037{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.035{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.033{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.031{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.030{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.028{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.027{30B46F62-486C-6352-2D00-000000008B02}27203536C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BEFC3D0) 10341000x8000000000000000293985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.619{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.619{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.615{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180435768F1F09F5812FDB79FE0F748B,SHA256=702E79BF965E99C89335CC0CC0B42622139B2F467A93B1DBF9ABE99FA9B81232,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.611{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.555{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.552{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.552{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.545{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000293977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.545{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000293976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.541{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.541{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.535{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.523{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.523{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000293971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.519{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.511{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000293969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.511{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000293968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.507{30B46F62-48CF-6352-9A00-000000008B02}48043124C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.503{30B46F62-48CF-6352-9A00-000000008B02}48043124C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.487{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000293965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.487{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000293964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.483{30B46F62-48CF-6352-9A00-000000008B02}48045372C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.483{30B46F62-48CF-6352-9A00-000000008B02}48045372C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.483{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000293961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.483{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000293960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.471{30B46F62-48CF-6352-9A00-000000008B02}48047408C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.471{30B46F62-48CF-6352-9A00-000000008B02}48047408C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.471{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.467{30B46F62-48CF-6352-9A00-000000008B02}48047408C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0D00-000000008B02}888916C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.463{30B46F62-485E-6352-0C00-000000008B02}832288C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000293945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000293943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000293942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-48CF-6352-9A00-000000008B02}48041772C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000293941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.460{30B46F62-48CF-6352-9A00-000000008B02}48041772C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000293940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:08.187{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E45FAFBF74AA6564F19032783CE257,SHA256=007F146DFC89B1D4C06B5973697433F9D4913905C125C23C9B804D49D22F2F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.650{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A195BE95934AFB6370BB6DEA09A62D2E,SHA256=83416A11A63C1BDFCA74328036C4F3F31AFD732A65157A452D76D9B7F15685BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000293999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.508{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.508{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.508{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.507{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.507{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.507{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.478{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.478{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.478{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.478{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.477{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000293988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.477{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B503-000000008B02}7456C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 354300x8000000000000000293987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:07.387{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000293986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:09.315{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83840B593E5B8E42C8C1C2A5D76A6F5D,SHA256=D750FE5EB6643B28883FC3FCB9B58B0AAB0FD486314D37D2F6CF57BA0A1E65E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:09.015{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A30E5EB3300FDAA5363D5107EA6AB0B,SHA256=898B52B1C2F733F39EEA2AED49DD3D33878BA3F2D2C8C7F4B1A16D408CB5B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.673{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C80BE23D44B1207D216055A0D3C285,SHA256=C39AF4A7A47A6FE8D63B3CC258214F186AF9A7F8D181ED9933AFCC12230F1EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.588{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000202041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:10.078{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739CC890F084A1CB04CA1DA386849B8D,SHA256=951F81728DD9DB4A2D2C040771C63D451495C068269A315288E6B53A05DC9030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.254{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.254{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.254{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.253{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.254{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.253{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.253{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.253{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.141{30B46F62-48D1-6352-9D00-000000008B02}2812ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\AIAXV36I\microsoft.windows[1].xmlMD5=0BD253C1B4061B8EB0BF82A6FE3813B5,SHA256=60A032A2DA7AEE01F651C62E04AAF85CD62E634D9A8D2403C2838DE06900BAF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.130{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.117{30B46F62-48D1-6352-9D00-000000008B02}2812ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\AIAXV36I\microsoft.windows[1].xmlMD5=EAE6BE994769876925E45AE64864AEDD,SHA256=4447E40590F3D6B9CD6B8192426443464BE6E319ECE36962016F53418BAB7CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.113{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:10.113{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.761{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.761{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.761{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.760{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.760{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.760{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.760{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.760{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.707{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F3DFA49AD7AD88B33C9549489B778B,SHA256=47572E7C8CEEB3F439812E9E357939646141381B6B77A5F98955E1B868EEC40A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.911{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.909{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.907{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.906{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.904{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.901{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.892{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.885{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.881{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.875{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.873{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.864{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.854{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.843{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.837{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.824{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.819{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.798{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.792{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.781{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.775{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.768{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.761{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 354300x8000000000000000202043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:09.389{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:11.158{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6AAD4CDE3EC23C4954D41BB9D62244,SHA256=2F37DC6D1D56CB432331226910083B6E66AC9EE6FA897FF5BCF15E34EAF8C3BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.595{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.591{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.591{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.430{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.426{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:11.426{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:12.808{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8B65263F4A2BF9E4A40A20027B68AE,SHA256=0410301C5373AA045673676BAABF1B2575338F4DE6C478938B434CC86E22F65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:12.477{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFDB65C422C408A67D5D56A8A56E86B,SHA256=208C1C756B80E8908CE06D3F0C090BFFD1CC06D6A5B66E916B68812CE92B7E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:13.543{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE9D6F0BF1DD5E5415201C6D1954E3F,SHA256=742551D90F1F5B511FE6905DD3479E1EEC85F624832876A67C227A62A42BDF09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.437{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.325{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.321{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.321{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.154{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.154{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.154{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.150{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.150{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.150{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.150{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:13.150{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000202079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:14.654{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80562A6AD92F05B713A542A071E68511,SHA256=A801722EF4D83BCA4E68C7FA7936485F31109400D34A5661CA7CF6231C74E23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:12.445{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57299-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:14.279{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F14EF9DDBD868F4D09CAD09541354A,SHA256=F86399BD86FB930FDC3FFF5A912C4B69B0917CEC9E7177F7220B36EAC4C129B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:14.061{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:14.062{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:14.059{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:14.059{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000202078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:14.373{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:14.373{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:14.373{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:14.354{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:15.743{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159C6B574F0BAB66E5C00539308A46F,SHA256=C14CE198568F3CA3B2072570BB146BC2F4C32FD612FBB2AF43E6EEEC786BEE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:15.167{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73970E000A149B3519F702B5B2F2747E,SHA256=5DC7C5E0B9F627AAF7DFB230A1E8A93367027BF4C03B3BEB97ECA9BC581A2E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:16.825{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4C13AAF6C5B4F48AAE8386EF7263F3,SHA256=5722E2FD354C818D63816FAABA805B59F6C25262861A1F0F6EEA79A1CADB4DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C807C8C10F142D7C38D0D0B997B73BA,SHA256=CC32B7FFC085D1D757DDE093165563841211D591558CC9F8B002EA13E965E747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:16.202{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000202084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:17.905{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164A87FDF91D713C056FD723B3B44466,SHA256=519A36C015994B9EF53EBF9D0C67F5FEA45B095A8791787B8429BE553F3F10A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:15.373{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:17.251{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41781630C6331C379D0AE96DBF8A762,SHA256=DBC3A2026306E5DA9242CDA76D751820A3F03FB3BE4BC595C1EFAD446EA6DA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:17.414{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-085MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:18.988{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB7B3CEADD0CC2B40BFC2AE087F22DB,SHA256=ABDD9FBBF542899323E930FCC43A9D19E04D6AAA23E453D28A94EE0E10B38D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:18.323{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33767840A54D0381C942686A6EC3067F,SHA256=4EA8E2B46CAE124A20D44D264FA806D28D30A12ECEAE67B27BB4AF4311EAC108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:18.423{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-086MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:19.376{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF08FFAF55EA3A339DE7AA8713A1FAD,SHA256=25F9E4C20383748BEEAE0CCB71320663BD3808C0BCE73D5C7CBC03F7BA2482B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:19.698{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9D1B3714CEF8C05B9E1E8266875B203,SHA256=D13F43E1CE3CC27C8FA83B324AD2D52EDE5E26D4850B3C8C84EFF72E73D90311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 23542300x8000000000000000202088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:20.057{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923980D66FC5A8C755B9A1B6844513FC,SHA256=C6FB309F5115C1A19D1BD9E330B466379E50AB40CB54F42191044481CDA71889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.928{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.844{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.770{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.688{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.687{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.687{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.483{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2309F9422AA06A2CD559913F41C9E2,SHA256=E2BF3D4EFBE6CFA7649B749075E67521BC75442EE03858A10FA246FF82D8A019,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:17.567{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.187{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.186{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:20.186{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.706{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F507A367C2B3AF1BCA985C9BBFFA1860,SHA256=F59C1DA031275A466C620FA5B1871A5801A4DBB9F5D55AB47F6F280B800EEE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:21.142{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD399B873AED7568740EF36B7F82D575,SHA256=4020ACA8B37253EC7C18222C894252BCB5AAB761D7D5BF221DE8369FD44B285D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:18.474{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local138netbios-dgm 354300x8000000000000000294159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:18.474{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000294158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.106{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA618D6AC100CE8BA4CB1A2ED27FE4D,SHA256=CFA9A282705F0B92CCCC88A9C5CC45E0344496A8311C2F432D43767FDDC3BE6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42526912C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000294142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:21.013{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000294162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:22.744{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC8D70CB513C55E9281B8A3A983A4EE,SHA256=AD1BBDC2C40E7170A778CDE9F1610735BE81DC7EA87F8F522370C3F3828634F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:22.226{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD6B4225FE244485CF280AB9D3EC4FA,SHA256=C033C878E4C220696151607FE5F45B8A2DC1E741FE1DF90A9B0866C4E63E37F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.987{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.976{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.935{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.924{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.917{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.906{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.896{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.852{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.848{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000294163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.797{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5CDFDE67C0E40A703B081817D584C3,SHA256=34C098520FE80874E0C10E7F09953E2D09ED26A8FA723388C3AA3A8E88930E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:23.320{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4854F01CC67DEB2EFA49C50AC8D0AF,SHA256=1AD829059FBB7B9C892E9AA950E3AEB1FBBE3B219F98434A7075E909971189B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.821{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4EB325D6C00BEA42DC1297A8A0ACA8,SHA256=E1F62FDF6B0A3E0202088DB5F2D433C993D209D3B805AFEBCAF80B095A25EB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:24.403{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5097604CE52E8DDE875435366359C501,SHA256=D2BF3148BB64D6FE27471C0D386BE2C10D564B0D496CA8F5DF31BF452D7FD103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.540{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.536{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.090{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.085{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.077{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.070{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.068{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.058{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.051{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.048{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.047{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.044{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.038{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.033{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.016{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:24.008{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 354300x8000000000000000202092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:21.338{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:25.492{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248142B93442489C75C231E1EDF3B77F,SHA256=25FC27F4F44708A9C36D2F4B4B95D7E82B85FC659762BA9DA8B3EC1BB74C3DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.994{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9467047022A97FD5B63CC5A7E541A216,SHA256=165E65FFC71F03F70924C649220215AA5E8C17649BC1FE70CB15256E9016F4BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.986{30B46F62-485C-6352-0A00-000000008B02}6203048C:\Windows\system32\services.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.969{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.969{30B46F62-485C-6352-0A00-000000008B02}6202528C:\Windows\system32\services.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.898{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.898{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.871{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.871{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.828{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.750{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.743{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.743{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.742{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.742{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.742{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.741{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.737{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe10.0.14393.4169 (rs1_release.210107-1130)Speech Runtime ExecutableMicrosoft® Windows® Operating SystemMicrosoft CorporationSpeechRuntime.exeC:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=58CB8B1140CE6857A5D7F6F107517640,SHA256=606ACA00EA03AD3AAEA0AD30A352CE4BEB5C81F9E55317C8F56033CC306C000C,IMPHASH=D8C2D5384005E2BA400B311A4694C522{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000294194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.697{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000294193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.697{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000294192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.613{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6212c|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000294191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.613{30B46F62-48CF-6352-9000-000000008B02}42526344C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6212c|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 354300x8000000000000000294190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:23.535{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:26.585{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3848C390B4390925C251308C62A3FFC,SHA256=71388D13906BE0D93A0B40C6372E656D4F5F3A87C6532617AB2688DB44FCA39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.974{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E63F5BC71ED8F2ADD2C0C780D5C27E23,SHA256=EE2D638EA9BBDE75BC564451C7F87D0612617D82D22D7CD67D9D19B7EA006EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91A77E56D337BD6AFFA749947B2F054,SHA256=A8E18985206A5C3FD7F691774A49219E4DADABF23E99734EE11EA36764F91D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.898{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.897{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.897{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.897{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.896{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.896{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000294240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.821{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B446BE4283E65BECFEA297785043789D,SHA256=F3B18154A174BB2AF498BB0D2E7EEB9DE21B52FC4B4F06D0082C6C6EA2946550,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.757{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.757{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.757{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.748{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.748{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.748{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.575{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.574{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.572{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.494{30B46F62-48CF-6352-9000-000000008B02}42527180C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\Windows.System.Profile.HardwareId.dll+1dd9|C:\Windows\System32\Windows.System.Profile.HardwareId.dll+1fdc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+54883|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 23542300x8000000000000000294229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.399{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3417A327419C980E0E12DADD64EDD1E2,SHA256=E38B4A4902F550606816EAEC413733AD47A2AA4301CA954CF6390B0503D249B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.378{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.362{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.362{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.362{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.339{30B46F62-5D15-6352-B803-000000008B02}6792408C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\wbiosrvc.dll+517b3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+3582b|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.localT1031,T1050SetValue2022-10-21 08:49:26.298{30B46F62-485C-6352-0A00-000000008B02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\StartDWORD (0x00000002) 10341000x8000000000000000294222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.298{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.298{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.298{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.282{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:26.154{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000294217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{DC576DA6-D676-4A15-906D-C0CEAF949543}\AutoNameDWORD (0x00000000) 13241300x8000000000000000294216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{DC576DA6-D676-4A15-906D-C0CEAF949543}\FilePathC:\WINDOWS\SYSTEM32\WINBIODATABASE\DC576DA6-D676-4A15-906D-C0CEAF949543.DAT 13241300x8000000000000000294215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{A61A7480-6A54-4D36-A0EF-B150B8545827}\AutoNameDWORD (0x00000000) 13241300x8000000000000000294214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{A61A7480-6A54-4D36-A0EF-B150B8545827}\FilePathC:\WINDOWS\SYSTEM32\WINBIODATABASE\A61A7480-6A54-4D36-A0EF-B150B8545827.DAT 13241300x8000000000000000294213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{51F39552-1075-4199-B513-0C10EA185DB0}\AutoNameDWORD (0x00000000) 13241300x8000000000000000294212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:49:26.014{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\WbioSrvc\Databases\{51F39552-1075-4199-B513-0C10EA185DB0}\FilePathC:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT 23542300x8000000000000000202096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:27.677{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E29A364110F1C56D1E46F82BA65BBA,SHA256=9268EC3B72D966FB6A3258B7040E289E220E5EF5B2E8B61AD87A90DA59A5A2D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.261{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.258{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.256{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.252{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.251{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.248{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.245{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.244{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.244{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.242{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.225{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.222{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.218{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.217{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.216{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.213{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.210{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.208{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.201{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.183{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.178{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.176{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.174{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.148{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.139{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.103{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.098{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.091{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.087{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.086{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.083{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.082{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.081{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.078{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 10341000x8000000000000000294249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.078{30B46F62-486C-6352-2D00-000000008B02}27203248C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001D7BE190) 23542300x8000000000000000202097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:28.765{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB1B5271C75218FA10504A99C4FC477,SHA256=FAD9C6DE437079F22AA1172491206F7B6EE48C48684E5C4F0B0DD8203B714AD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:25.991{30B46F62-5D15-6352-B703-000000008B02}980C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57302-false52.140.118.28-443https 23542300x8000000000000000294284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:28.160{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E264D7F245C121C83977F29B06FDAA16,SHA256=0B2B43920D446823226FFD77E03F9F5FB95BFD83CCC4A5C87CB548450DDB1B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:29.860{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED53BBE5DA4AA3B0B4EC006AD90DAEE,SHA256=8F2922A42ECBE777283D05941E8721BC99EDC997B5A92113F2E7DFF74150AA91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.651{30B46F62-5D19-6352-B903-000000008B02}65246284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.369{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-085MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.296{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D19-6352-B903-000000008B02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.294{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.294{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.293{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.293{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.293{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D19-6352-B903-000000008B02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.293{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D19-6352-B903-000000008B02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.292{30B46F62-5D19-6352-B903-000000008B02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.276{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305AAE065F3D6F0D1FD01A8772455A25,SHA256=68C0C33045B0C1AB85E15564DA2EF57C8C4C6C4FB9BA6113B099EB604AAF5B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:30.943{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4BFB8CE880270671CA31ADD8BB103A,SHA256=7E742375D9D9AFB1919C8A2C6E63B2216B2470B84D5A8693BF24A1E7C114BBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.820{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D1A-6352-BB03-000000008B02}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.814{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.814{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.814{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.814{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.813{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D1A-6352-BB03-000000008B02}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.813{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D1A-6352-BB03-000000008B02}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.812{30B46F62-5D1A-6352-BB03-000000008B02}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000294309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.759{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50350- 354300x8000000000000000294308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:27.728{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50350- 23542300x8000000000000000294307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.365{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B253816B65C402746077B6E2075B97,SHA256=3005CDE21B89CA17503A627EF8CA241F496D2E3FE1B3864DE1910E1B5F85BAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.358{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-086MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:30.010{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:27.362{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D1A-6352-BA03-000000008B02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D1A-6352-BA03-000000008B02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.148{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D1A-6352-BA03-000000008B02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.149{30B46F62-5D1A-6352-BA03-000000008B02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:30.123{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:31.827{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2088CD7558B95FDFB3C5D224611CB23A,SHA256=C8BACC325822DBA79452068546270462F06553863EACE5B5A4181155855B6BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:31.461{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF16E06128652AFEFBAE9FC29D7C712C,SHA256=0AB8DEBC489D349DF6118FF8A82D586866BF05E8E7DB0ED7931B203267E394FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.903{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.899{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.898{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.896{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.891{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.886{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.883{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.874{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.870{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.862{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.860{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.852{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.841{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.829{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.822{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.816{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.811{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.784{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.770{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.764{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.759{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 10341000x8000000000000000202102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:31.757{EFF5EEA8-4860-6352-1F00-000000008C02}12002844C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880F10) 23542300x8000000000000000294318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:31.308{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3ADE95C1EE228714B05BD3393198DDF8,SHA256=A9DB0AB528AF26B1C0AE3437F852F7AC7502E6281B4DE2D7946524591224057A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:29.296{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000202131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:32.052{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D37C3BB9322A75440D2E44B7E20B9E5,SHA256=AD5836D0830602D485F55B26DCFE219719C2C1EA266A7ADC371E6641ECB88562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.911{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000294333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.911{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000294332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.886{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.886{30B46F62-48CF-6352-9A00-000000008B02}48047988C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.886{30B46F62-48CF-6352-9A00-000000008B02}48045304C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.886{30B46F62-48CF-6352-9A00-000000008B02}48047988C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.886{30B46F62-48CF-6352-9A00-000000008B02}48045304C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.870{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.870{30B46F62-48CF-6352-9A00-000000008B02}48047408C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.870{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.870{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.476{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:29.475{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000294321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:32.560{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC4FDB6A04A8DC5775F59B4B8C5AC8D,SHA256=F7AF5AC8C21C7769E8B51F71992A67CC4B1304FFC28214C3FE641A45213C7094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:33.204{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3DAE633213F17FF9ED002962AFE37D,SHA256=5AF21EA345B8F420A0FC027EFB2EF16150F5752D4D952481A99BF254A19CC17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.668{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B113F09C3CA7F4A8D86B9122FB98D4,SHA256=69759362DB07271B9551222C463D39D1093D1F2529CFC0AC3D2945426D51236F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.612{30B46F62-5D1D-6352-BC03-000000008B02}17286720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:31.779{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57305-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000294343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:31.779{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57305-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 10341000x8000000000000000294342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.405{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D1D-6352-BC03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.403{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.403{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.401{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.401{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D1D-6352-BC03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.401{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.400{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D1D-6352-BC03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:33.212{30B46F62-5D1D-6352-BC03-000000008B02}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000294362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.955{30B46F62-5D1E-6352-BD03-000000008B02}5007992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.852{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.852{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.852{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.851{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.851{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.851{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.670{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.502{30B46F62-5D1E-6352-BD03-000000008B02}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.630{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215B0FD7875A0AC8428F9163652E08C2,SHA256=CFF0F05311B47CB19B846DE1CC1776AD8D131505551668984B58B4C82917C1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:34.283{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB08131D7CFA9B0B3EC22F73C04D4AB,SHA256=4F241DE0182B29352393BEAD2A7AE342328F2430991B68CA62C6A5A0B696AD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.875{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DECBD0685BB88B2B7113711276625D1,SHA256=B17F1AAC4BDF28F668AE4BA3F598F0F0148B2AC0A722F5A491DAAB122C85B39F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:35.372{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1D913622F06B536E1288601D7DFF5B,SHA256=DBF535CEE74229582C8B056E249E8D20956065CB2785352DEDF5F98D455E2EB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.614{30B46F62-5D1F-6352-BE03-000000008B02}66167924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D1F-6352-BE03-000000008B02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D1F-6352-BE03-000000008B02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.432{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D1F-6352-BE03-000000008B02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:35.433{30B46F62-5D1F-6352-BE03-000000008B02}6616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000202135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:33.342{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.983{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E25BDD0E0ECA369761F63324FB68BC,SHA256=6D7EF7B71A511BC487DF12ACB7F9CF7CDBD403FCAF2CB00952F74BA706E4E05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:36.471{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD86CA618067B56AA7D9FC3D487A286,SHA256=563B13F903BB9D0A7B90DF8F5DAFE584527DD73C3042FD74769872B062EC892B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.112{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D20-6352-BF03-000000008B02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.111{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.110{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.110{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.110{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.108{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D20-6352-BF03-000000008B02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.107{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D20-6352-BF03-000000008B02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:36.107{30B46F62-5D20-6352-BF03-000000008B02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:37.555{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8050F16CE0348C95B4E2F95EC6F97E06,SHA256=8904B441583DA1FECD2A0EA9AF35664A0D77341701D037E3F0CDF141CCBE9DA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:34.698{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:10d6:176f:f5ff:fef0win-host-ctus-attack-range-144546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000294383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:34.500{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:37.176{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C91343BCA0652712331093A64254542C,SHA256=7AD834BD2CC7F4765C1203DC5D03081339C8B1B83F9A34D38F7F4967D82EA37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:38.538{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FC2E3AB56B633EA33568FE35281122,SHA256=342F7A65D018B2A90C3CF6A4676EC219A17644CFD8F5456D2EAF74E8DB21152C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.364{30B46F62-48CF-6352-9100-000000008B02}43046268C:\Windows\system32\sihost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.195{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.195{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000294385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.195{30B46F62-485E-6352-0C00-000000008B02}8327004C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000294384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.139{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3561D531A7BEB2DC096FB248E19EB3EE,SHA256=5D75E21032711CA8ED537BA7997D26AA302A903101809DBF4DEACAD0715E1537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:39.619{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6652C8F0FA4C12D6CAB24C2DB953BEBB,SHA256=4EDA8B67DBD79F4ACE3F416FC462452DEE6ED29EC68D3B6CDB0BB38E227D8B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:39.544{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80a49|C:\Program Files\Mozilla Firefox\xul.dll+e80d2b|C:\Program Files\Mozilla Firefox\xul.dll+121ed8b|C:\Program Files\Mozilla Firefox\xul.dll+e7d527|C:\Program Files\Mozilla Firefox\xul.dll+e60a97|C:\Program Files\Mozilla Firefox\xul.dll+1fdd212|C:\Program Files\Mozilla Firefox\xul.dll+1ab4b2a|C:\Program Files\Mozilla Firefox\xul.dll+1ab71df|C:\Program Files\Mozilla Firefox\xul.dll+1895d88|C:\Program Files\Mozilla Firefox\xul.dll+1cb4920|C:\Program Files\Mozilla Firefox\xul.dll+1e2a3ce|C:\Program Files\Mozilla Firefox\xul.dll+1e36802|C:\Program Files\Mozilla Firefox\xul.dll+1e98cfb|UNKNOWN(0000017F81FC3F00) 23542300x8000000000000000294394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:39.189{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6759B2F9590ECCC40F597EA205DCD5,SHA256=0668824743C14B6C364E18E3FFCF3E7C1F12F6080C1510BA235D3CDCCE7415F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:40.709{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C05B21FD99BC4E99CB1EDD258F5FE36,SHA256=21A4BD8EF16ABFF12255F0AF949C59229E490880722253905AC3458985216ED2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.952{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62373- 354300x8000000000000000294400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:38.937{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64354- 10341000x8000000000000000294399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.301{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551F49158E69EAF9414BB61BD7350412,SHA256=577CF9652472E760BF0703359B95745E7CE879C07D0E377CF1F5BC80F863EF99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.254{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA0-6352-A003-000000008B02}7208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.254{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+44ca766|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+9834c4|C:\Program Files\Mozilla Firefox\xul.dll+9826ab|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c7e7|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e 23542300x8000000000000000202144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:41.793{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192ADED9E1355799569381F58BAA3937,SHA256=48F6CDFB4E06DF4E85440C7954156C57FC3F5FFDB5D2F41596404DED963CC77B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.979{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.979{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.979{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.978{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.978{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.978{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000294456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.836{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF1757332E61B4F5DC83E6098B27EB6,SHA256=B45C489C32BBEBF71A83D9BA8D491E1B078C9AE08252DD2632A65AE2CBC62219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.700{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=F91CFB26A6912CD1AD8773F33B90FE9D,SHA256=3BE81161FFD57417DA3053BFE230AFB63E59608E2A5F6D8E2184152286C76376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:39.669{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49618- 354300x8000000000000000294453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:39.668{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51606-false142.250.191.195ord38s31-in-f3.1e100.net443https 354300x8000000000000000294452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:39.621{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51603- 10341000x8000000000000000294451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.556{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.344{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.344{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.334{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.334{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:41.323{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-61C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:41.323{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-61C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.297{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.10703745281237921953C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.10703745281237921953C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000202143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:38.557{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.64.64402708C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:41.297{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.267{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.267{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.265{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.64.644027083\362057895" -childID 62 -isForBrowser -prefsHandle 8064 -prefMapHandle 5620 -prefsLen 32029 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50546cb8-e353-4391-a49e-35ce986ed9dc} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 6128 214dc5f8658 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000294428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:41.257{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000294402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:41.257{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.64.64402708C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000202145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:42.861{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4888D22797E2755F53D46C024A19369,SHA256=D29EDE74372685AFF59C93ACFE9965608F1FE62B225E1328A3336D7887322EB9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000294474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.301{30B46F62-4D08-6352-6F01-000000008B02}2076plus.l.google.com02607:f8b0:4009:817::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.298{30B46F62-4D08-6352-6F01-000000008B02}2076plus.l.google.com0142.250.191.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.296{30B46F62-4D08-6352-6F01-000000008B02}2076apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.191.110;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000294471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:42.377{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5784C5A16132EFE8CCD50D294285EEC8,SHA256=88D435E2AB7A1677388E6315C4AEF29238C5C45477E0C6F7C3ABB04F3FA092EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.493{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local50267-false172.217.0.162ord38s42-in-f2.1e100.net443https 354300x8000000000000000294469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.492{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63189- 23542300x8000000000000000294468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:42.309{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A3D14D22F6257B0574F6AC85AA6F9D9,SHA256=B4472BCF04709C1CBBFC163786641FE1BBE70726CA71B9BEFE57795AD06B5216,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.400{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.295{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local50742-false142.250.191.110ord38s28-in-f14.1e100.net443https 354300x8000000000000000294465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.295{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50266- 354300x8000000000000000294464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.294{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59076- 354300x8000000000000000294463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.290{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50741- 23542300x8000000000000000202146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:43.913{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCC11BC35EF296CFBF7DA0B55ABE3DB,SHA256=DA6EDD3C680B0266E5372466997106F2579C14F4C2A58AAA699624AA38EEC90C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.994{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.988{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.983{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.980{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.979{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.973{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.961{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.943{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.936{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.925{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.918{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.892{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.880{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.873{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.858{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.844{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.801{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.799{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 354300x8000000000000000294478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.858{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63309- 354300x8000000000000000294477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.858{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58710- 354300x8000000000000000294476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:40.858{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61546- 23542300x8000000000000000294475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:43.390{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A65DADFA22C480A3C7B124CACF7E91D,SHA256=CEC27C6F535AF0AFFDE87F2DB3EF1416C3CC62CB35A18D9F906A7AFB90AC1BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.410{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE682E5650B6C28CFC38407BAC752D90,SHA256=CDF74D79FF02F2C09236572906D41629357598D34EAA90274F38BA6AF985C108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.408{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.405{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.024{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.016{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.014{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.007{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:44.004{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000294508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.833{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=FD6DDB97FACFC02C6787EBE54D35C23A,SHA256=EBB2F6D7055C2F11441767D60CD35C0E9399AE9F6363DD18D81C2F37D94C0F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.822{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++www.google.com\ls\usageMD5=0B36D4DFD77703216976821088B26854,SHA256=9A5727C71679A083E5FE733C385BC4013FADF20C947103AE38F077768DF91D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.532{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A16A46A4CDD2E312546E6564A1C805,SHA256=5B5A64AB4ED35B3D2F724543ABF7E7C2111B5908F10CE219511A18200C657FFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.677{EFF5EEA8-5D29-6352-FE02-000000008C02}39563440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D29-6352-FE02-000000008C02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D29-6352-FE02-000000008C02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.464{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D29-6352-FE02-000000008C02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.465{EFF5EEA8-5D29-6352-FE02-000000008C02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:45.010{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C91EE9DFB7415EC40178722D2363ED3,SHA256=E8778C50E94D5A95C581A1BBF1D13ECC6EC1B23D365D3D2E2F04857AE3B01A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.253{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\28078MD5=FC00A14C1CE3F5BA7D30A19B23BEC59E,SHA256=580F38C1FBA1F81CC4ABC90D85D643FA79EE625508D7BB824CE15C6425755BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:44.566{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000202191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2A-6352-0003-000000008C02}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5D2A-6352-0003-000000008C02}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2A-6352-0003-000000008C02}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.808{EFF5EEA8-5D2A-6352-0003-000000008C02}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.605{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38DBCC0C022FB2C18DD5D2EEAEB12599,SHA256=B69C88848FA6465A11F124876232CCEEF25E5A341CE3524424ED0D3AA35C9F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.510{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B4168A8222625A780384B468DDA73791,SHA256=7D92922F31F9E28AA9C67707AE63AD9D02BD1381BA9AE672792CF3E509572F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.297{EFF5EEA8-5D2A-6352-FF02-000000008C02}30043180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2A-6352-FF02-000000008C02}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5D2A-6352-FF02-000000008C02}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2A-6352-FF02-000000008C02}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.146{EFF5EEA8-5D2A-6352-FF02-000000008C02}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:46.083{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BCAEFBE15EEADC1099415CABE80A64,SHA256=06AA5DAD6FF3D93DB6B4BAD67900BDD5328B70EFD95273F270D044720032F54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.964{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.953{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.938{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.946{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 22542200x8000000000000000294529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.561{30B46F62-4D08-6352-6F01-000000008B02}2076www.gravatar.com02a04:fa87:fffe::c000:4902;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.548{30B46F62-4D08-6352-6F01-000000008B02}2076www.gravatar.com0192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.547{30B46F62-4D08-6352-6F01-000000008B02}2076www.gravatar.com0::ffff:192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.534{30B46F62-4D08-6352-6F01-000000008B02}2076cdn.sstatic.net0151.101.193.69;151.101.129.69;151.101.65.69;151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.937{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 22542200x8000000000000000294524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.533{30B46F62-4D08-6352-6F01-000000008B02}2076cdn.sstatic.net0::ffff:151.101.1.69;::ffff:151.101.193.69;::ffff:151.101.129.69;::ffff:151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.410{30B46F62-4D08-6352-6F01-000000008B02}2076superuser.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.390{30B46F62-4D08-6352-6F01-000000008B02}2076superuser.com0151.101.65.69;151.101.193.69;151.101.1.69;151.101.129.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.388{30B46F62-4D08-6352-6F01-000000008B02}2076superuser.com0::ffff:151.101.129.69;::ffff:151.101.65.69;::ffff:151.101.193.69;::ffff:151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.934{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.929{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.928{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.924{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.924{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000294515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.542{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C51898C486C1CB679411C56ABC47645,SHA256=D284AC9C166FA91258D06B76BEDA094F956C231792C721053E552FDE0DA8475B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.420{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.419{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.416{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.374{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.116{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CA4-6352-A403-000000008B02}5524C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e80657|C:\Program Files\Mozilla Firefox\xul.dll+851e25|C:\Program Files\Mozilla Firefox\xul.dll+8463da|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.108{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd 22542200x8000000000000000294702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.264{30B46F62-4D08-6352-6F01-000000008B02}2076pagead-googlehosted.l.google.com02607:f8b0:4009:81c::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.263{30B46F62-4D08-6352-6F01-000000008B02}2076pagead-googlehosted.l.google.com0142.250.190.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.943{30B46F62-4D08-6352-6F01-000000008B02}2076qa.sockets.stackexchange.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.941{30B46F62-4D08-6352-6F01-000000008B02}2076qa.sockets.stackexchange.com0198.252.206.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.940{30B46F62-4D08-6352-6F01-000000008B02}2076qa.sockets.stackexchange.com0::ffff:198.252.206.25;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000294697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.259{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62027- 354300x8000000000000000294696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.243{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50873- 23542300x8000000000000000294695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.885{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FA2B2CA1A0876F4F261A00087BB8E5,SHA256=95DF664A81E00C73469E74D0BBEE88310F45902B4DEE4FF2537C2EC38317C3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.835{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\permissions.sqlite-journalMD5=3C03B516B4BEBCC6BE650395B113F248,SHA256=7FC4516D230FA5F6146AE6A7F6EA3A9E90B663CDC3E8F01C1992C252E3C36E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.974{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local49232- 354300x8000000000000000294692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.958{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57319-false198.252.206.25stackoverflow.com443https 354300x8000000000000000294691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.937{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50291- 354300x8000000000000000294690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.937{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59654- 354300x8000000000000000294689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.934{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50336- 354300x8000000000000000294688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.917{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58400-false142.250.191.130ord38s29-in-f2.1e100.net443https 354300x8000000000000000294687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.833{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57318-false142.250.191.130ord38s29-in-f2.1e100.net443https 10341000x8000000000000000202213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.671{EFF5EEA8-5D2B-6352-0103-000000008C02}23483140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.608{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.608{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.608{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.607{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.607{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.607{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.477{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.478{EFF5EEA8-5D2B-6352-0103-000000008C02}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:47.243{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165B9AAB6059696E841B7D4EFB2EC7AE,SHA256=B72C52F2A09DC9751EBBC66B9C477B6B8859D5294953E70AAC6B25A8991906C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.715{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63132- 354300x8000000000000000294685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.713{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59083- 354300x8000000000000000294684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.651{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local62871-false142.250.190.42ord37s33-in-f10.1e100.net443https 354300x8000000000000000294683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.573{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57316-false142.250.190.72ord37s34-in-f8.1e100.net443https 354300x8000000000000000294682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.567{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57317-false146.75.32.193-443https 354300x8000000000000000294681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.566{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57315-false192.0.73.2-443https 354300x8000000000000000294680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.554{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62870- 354300x8000000000000000294679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.548{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57313-false151.101.1.69-443https 354300x8000000000000000294678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.546{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51615- 354300x8000000000000000294677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.544{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local62798- 354300x8000000000000000294676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.543{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57309-false142.250.190.42ord37s33-in-f10.1e100.net443https 354300x8000000000000000294675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.543{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57312-false151.101.1.69-443https 354300x8000000000000000294674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.543{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57310-false151.101.1.69-443https 354300x8000000000000000294673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.542{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57311-false151.101.1.69-443https 354300x8000000000000000294672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.539{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local59908- 354300x8000000000000000294671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.536{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.531{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64216- 354300x8000000000000000294669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.530{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63457- 354300x8000000000000000294668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.529{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61796- 354300x8000000000000000294667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.524{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52459- 23542300x8000000000000000294666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.361{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54417AB4335D4B836F5C93BB76526C48,SHA256=FBDD3DC8A39CC60FC77F01D9A3760A33F038896D436EE1B34164C73C219134BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.298{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3927F3B6073123C43192F56C7D1A6890,SHA256=065A34FA4807BB4F543720E7602D3A15319ECE50B57CD1E20A9D6B00F236FB8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.278{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.276{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.253{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.253{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.248{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.246{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.244{30B46F62-485E-6352-1200-000000008B02}3721676C:\Windows\system32\svchost.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.237{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-63C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.237{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-63C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.235{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.235{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.224{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-62C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.223{30B46F62-4D08-6352-6F01-000000008B02}2076\LOCAL\cubeb-pipe-2076-62C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.220{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.215{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.1393774815485234137C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.215{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.1393774815485234137C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.213{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.213{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.66.81417768C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.208{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.208{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.205{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.202{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.14117797908451027444C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000294642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.202{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko.2076.5588.14117797908451027444C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.201{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a9daf4|C:\Program Files\Mozilla Firefox\xul.dll+1a9bc87|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.201{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.65.165977286C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.196{30B46F62-4D08-6352-6F01-000000008B02}20765496C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+11473b|C:\Program Files\Mozilla Firefox\xul.dll+12fde11|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000294638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-ConnectPipe2022-10-21 08:49:47.196{30B46F62-4D08-6352-6F01-000000008B02}2076\gecko-crash-server-pipe.2076C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.179{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.178{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.173{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.173{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.173{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.173{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.172{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.172{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.172{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.66.814177685\554422881" -childID 64 -isForBrowser -prefsHandle 7788 -prefMapHandle 6936 -prefsLen 32029 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a12a23b5-e124-45d1-ac31-145a1df61cd2} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 8476 214de7f5758 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000294628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.171{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.171{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.170{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.169{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.169{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.169{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.169{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.169{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.168{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.168{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.168{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.168{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.168{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.167{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.167{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.167{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.167{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.167{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.165{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.164{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.164{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.164{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.163{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.163{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.163{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.163{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.161{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.161{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.160{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 17141700x8000000000000000294594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.160{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.66.81417768C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.158{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e6a234|C:\Program Files\Mozilla Firefox\xul.dll+e78d12|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+1a79a63|C:\Program Files\Mozilla Firefox\xul.dll+17ca9a2|C:\Program Files\Mozilla Firefox\xul.dll+1aa56fd|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+17f4f8|C:\Program Files\Mozilla Firefox\xul.dll+17e407|C:\Program Files\Mozilla Firefox\xul.dll+45525b1|C:\Program Files\Mozilla Firefox\xul.dll+45baaa2|C:\Program Files\Mozilla Firefox\xul.dll+45bb8cc|C:\Program Files\Mozilla Firefox\xul.dll+1fe0ac3|C:\Program Files\Mozilla Firefox\firefox.exe+19d68|C:\Program Files\Mozilla Firefox\firefox.exe+283f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.158{30B46F62-4D08-6352-6F01-000000008B02}20765588C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9f45e9|C:\Program Files\Mozilla Firefox\xul.dll+f5d34|C:\Program Files\Mozilla Firefox\xul.dll+1a9bdd8|C:\Program Files\Mozilla Firefox\xul.dll+12b25|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+12657|C:\Program Files\Mozilla Firefox\xul.dll+9da9a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.523{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52706- 354300x8000000000000000294590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.397{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57308-false151.101.129.69-443https 354300x8000000000000000294589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.386{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65204- 354300x8000000000000000294588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.385{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60748- 354300x8000000000000000294587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:45.304{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60865- 10341000x8000000000000000294586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.151{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.149{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.148{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.148{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.148{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.147{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.147{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.147{30B46F62-4D08-6352-6F01-000000008B02}20764208C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2c2c2|C:\Program Files\Mozilla Firefox\firefox.exe+5917|C:\Program Files\Mozilla Firefox\xul.dll+208751f|C:\Program Files\Mozilla Firefox\xul.dll+9ef498|C:\Program Files\Mozilla Firefox\xul.dll+9ed4e5|C:\Program Files\Mozilla Firefox\xul.dll+9f54be|C:\Program Files\Mozilla Firefox\xul.dll+1a7d453|C:\Program Files\Mozilla Firefox\xul.dll+17c9b6b|C:\Program Files\Mozilla Firefox\xul.dll+17c88a5|C:\Program Files\Mozilla Firefox\xul.dll+9ddb9f|C:\Program Files\Mozilla Firefox\xul.dll+1f65e|C:\Program Files\Mozilla Firefox\xul.dll+847db7|C:\Program Files\Mozilla Firefox\nss3.dll+73afc|C:\Program Files\Mozilla Firefox\nss3.dll+89171|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+20878|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.147{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe105.0.3FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.65.1659772860\2013796257" -childID 63 -isForBrowser -prefsHandle 7444 -prefMapHandle 3728 -prefsLen 32029 -prefMapSize 232827 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8701f7f8-e385-4b2d-ae27-4bc10ed3fe36} 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 9204 214de7f4258 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012LowMD5=1FD347EE17287E9C9532C46A49C4ABC4,SHA256=912373AF6F3C176B7E0A71C986D6288F76F5BE80DE7C9A580B110690271E9237,IMPHASH=8E3C51C1AC97BB4E0AD1FE0F10EFE09F{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000294577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.145{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.145{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.145{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.145{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.144{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.144{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.144{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.144{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.144{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.143{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.142{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.142{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.142{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.141{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.141{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.141{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.141{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.140{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.140{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.139{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.139{30B46F62-485C-6352-0B00-000000008B02}628676C:\Windows\system32\lsass.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000294551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-CreatePipe2022-10-21 08:49:47.136{30B46F62-4D08-6352-6F01-000000008B02}2076\chrome.2076.65.165977286C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000294550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.109{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.104{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.099{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.098{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.096{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.094{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000294544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.092{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\24034MD5=E09BC594525F1F45526B6CB0595DF1F8,SHA256=0E63FFC337DBADBB5D0DD7B85900FF2226784A703E71868A4B7CCFF1129186BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.090{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.085{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.077{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.052{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.051{30B46F62-4D08-6352-6F01-000000008B02}20765420C:\Program Files\Mozilla Firefox\firefox.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26bf0|C:\Program Files\Mozilla Firefox\xul.dll+e80167|C:\Program Files\Mozilla Firefox\xul.dll+e79c29|C:\Program Files\Mozilla Firefox\xul.dll+e7a5f8|C:\Program Files\Mozilla Firefox\xul.dll+e67ceb|C:\Program Files\Mozilla Firefox\xul.dll+4346026|C:\Program Files\Mozilla Firefox\xul.dll+2467ae8|C:\Program Files\Mozilla Firefox\xul.dll+9b37ad|C:\Program Files\Mozilla Firefox\xul.dll+969731|C:\Program Files\Mozilla Firefox\xul.dll+17fbb8|C:\Program Files\Mozilla Firefox\xul.dll+9b7115|C:\Program Files\Mozilla Firefox\xul.dll+44ca766|C:\Program Files\Mozilla Firefox\xul.dll+97619a|C:\Program Files\Mozilla Firefox\xul.dll+979261|C:\Program Files\Mozilla Firefox\xul.dll+977edb|C:\Program Files\Mozilla Firefox\xul.dll+9770d5|C:\Program Files\Mozilla Firefox\xul.dll+9825ed|C:\Program Files\Mozilla Firefox\xul.dll+8abfa2|C:\Program Files\Mozilla Firefox\xul.dll+82c74f|C:\Program Files\Mozilla Firefox\xul.dll+1a7a707|C:\Program Files\Mozilla Firefox\xul.dll+17c9870|C:\Program Files\Mozilla Firefox\xul.dll+1aa5624 10341000x8000000000000000294538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.045{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.044{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.042{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.022{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 10341000x8000000000000000294534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:47.006{30B46F62-486C-6352-2D00-000000008B02}27203468C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139803D0) 23542300x8000000000000000294734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.950{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF857621D8E0897A6E736062B9AB33A3,SHA256=39EEA0353F457A985459287D6D059A188238F813AFF4459ECC764A707B27E052,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.837{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61239-false142.250.191.166ord38s30-in-f6.1e100.net443https 10341000x8000000000000000202241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2C-6352-0303-000000008C02}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D2C-6352-0303-000000008C02}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2C-6352-0303-000000008C02}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.819{EFF5EEA8-5D2C-6352-0303-000000008C02}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.447{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC78A09E69EBAA239FDB5CFC4F5C442,SHA256=06122D13BAFE3D5F6CAC4DD3A44C02DF66E10E0A86340CB36682F10A1633FFD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.307{EFF5EEA8-5D2C-6352-0203-000000008C02}10442204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000294732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.750{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57327-false142.250.191.166ord38s30-in-f6.1e100.net443https 354300x8000000000000000294731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.580{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57326-false172.217.4.46ord38s18-in-f14.1e100.net443https 354300x8000000000000000294730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.578{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61236-false142.250.190.97ord37s35-in-f1.1e100.net443https 23542300x8000000000000000294729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.175{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5108EDF48AE8798ACE9008C936792642,SHA256=AF28F4E3A40ABA027E4CD5C13B37F7E00A5E1993C40E0BC45EA31F4F98A355C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.519{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57325-false142.250.191.226ord38s32-in-f2.1e100.net443https 354300x8000000000000000294727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.498{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57324-false142.250.190.97ord37s35-in-f1.1e100.net443https 354300x8000000000000000294726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.483{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57323-false142.250.191.226ord38s32-in-f2.1e100.net443https 354300x8000000000000000294725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.477{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local61235- 354300x8000000000000000294724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.477{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local52939- 354300x8000000000000000294723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.473{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50028- 354300x8000000000000000294722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.465{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51053- 354300x8000000000000000294721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.464{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50839- 354300x8000000000000000294720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.453{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local60744- 354300x8000000000000000294719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.443{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65191- 354300x8000000000000000294718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.421{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58403-false142.250.190.65ord37s34-in-f1.1e100.net443https 354300x8000000000000000294717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.357{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57322-false142.250.190.65ord37s34-in-f1.1e100.net443https 354300x8000000000000000294716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.343{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57321-false151.101.193.69-443https 354300x8000000000000000294715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.331{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57320-false142.250.190.65ord37s34-in-f1.1e100.net443https 10341000x8000000000000000294714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.036{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.036{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.036{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.035{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.035{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000294703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:48.035{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000202226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2C-6352-0203-000000008C02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D2C-6352-0203-000000008C02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2C-6352-0203-000000008C02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:48.156{EFF5EEA8-5D2C-6352-0203-000000008C02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:49.972{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31699DFEE118DF11B9B0D4646A0101DB,SHA256=E462D114942C535AF760445236B1D3F19231C0C8D2280E144672E7954C31A5EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.981{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local65208- 354300x8000000000000000294736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.979{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64015- 354300x8000000000000000294735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:46.978{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63194- 23542300x8000000000000000202256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.840{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3A6A615B2458DB15B70A91D4A7BF0EB8,SHA256=0F3F3CC1AD29817AF93DFE632337DCF8B778C5A874D7B04D334ABD885E7C4A58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D2D-6352-0403-000000008C02}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5D2D-6352-0403-000000008C02}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D2D-6352-0403-000000008C02}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.498{EFF5EEA8-5D2D-6352-0403-000000008C02}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:49.357{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68E8CAD18B9E45E0907614C1FF6E7D4,SHA256=AC3382DF1AE2A57460979221DC2B453C1B889D81A64CAA8FF3BC2784CE208469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:50.991{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45234778C2920C2CF484CB2747E258D6,SHA256=2E93029FFF43CCF2F5575DA9ABD39AE545FA6219DC1276832685634023E582B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:50.429{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0651B5AADC24D9B70675D0D276DAC102,SHA256=B63A39F270E4E0C7C5A26CB465FD965F5E103C196D267663A30B054F77B6B4D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.928{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.925{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.923{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.921{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.917{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.915{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.912{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.905{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.895{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.882{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.868{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.856{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.848{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.842{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.796{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.790{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.783{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.777{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.771{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.766{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 10341000x8000000000000000202259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.763{EFF5EEA8-4860-6352-1F00-000000008C02}12002800C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C3E190) 23542300x8000000000000000202258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:51.509{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738E47515EB27ABF542DC29E312B19E0,SHA256=2A5501348B6A0F2F48C2D68000F0258F863D1F18E7D5B16973CBC9B1A9949FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:51.492{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++superuser.com\ls\data.sqlite-journalMD5=692AC870401D2BC3A8AEF03E82080D2D,SHA256=B86126D362F3971487A96412A56DB019B31AB8920A577F198DB1C965B2D60598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:51.484{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++superuser.com\ls\data.sqlite-journalMD5=8572012E843801975A01F7D36CA0FC7D,SHA256=6ECA3E306DA7B6D5739BBEFDF23E21449106CE0B09ACF2C11C241DB499F41C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:51.476{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++superuser.com\ls\data.sqlite-journalMD5=ECAAD1937C599E2BC61B05CA35977778,SHA256=882D12B5F2040662B61920156D29C3503EDBE1BB4600163145881AC7000C1B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:51.468{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\default\https+++superuser.com\ls\data.sqlite-journalMD5=A54E2D0367756904308F21E47C54DD15,SHA256=97CE49ED2A169E06B862BCB28C0B672D229E4A41D33B535BA25615DA5AC0547F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:50.569{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:52.765{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2AC94F3C07157043252744E28BA427,SHA256=E3C867DD706B6EAAFA963D8CDF72D97A652A73218A341FCB8E00DD17376CACDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:50.576{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:52.019{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C89761FDCA42F1D2BD09C57E5C10CA4,SHA256=D4A59A762D871639A10359304A6A1555D764A879572422E91B42BCCBF11E3541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:53.781{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C24621DDE80C65EE8859FEC82DBD14D,SHA256=278145AC8D405390923DA00692BCCC006EDCA125D9BDB86EE32D34FA72676929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:53.033{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4F62E77A638AD5CC65EAAF7AFBA65C,SHA256=30F59EB8C9EDD339EB8EA8EA7A40C11A4920B1A4C293B93CC01C3E3EA1E4A337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:54.857{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFD7F9A87E1E68AD8623259FAAD6C22,SHA256=2FB2ACC4C8B6DAE8DA1B2CE34EC7FC7DBF68028BADA29AAA81F4691B0536E622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:54.052{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893D1A61DA6AA9032A76C3B06058EEBD,SHA256=E371BC6B09D89360FBEF23B7DD40C66A17BE3A8DBC3AD33C60D2F8469693984A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:55.928{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8FC995F139AC7BC0FF81E92DBCB43,SHA256=60842F12EFC4FB5A1E34649D379598BEB17C4F300752195DD2E50C92D78BF3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:55.069{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E764ED9175C95E22106BDAE54BE6593,SHA256=83C0ED31F2755ED0C31646F57DB4AEB93992F64C6B2E9C418E7165178A50C21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:56.080{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A848F89B01B0A471078F0A5EAE1D8E,SHA256=79AB38AA6FADD344B8194705E170261F97ACEF56134423ECFCEBE8E3583E54D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:57.018{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2036002522024ACB1603B40ED84CF348,SHA256=B55C6D78230B3908362A37014FC9CD0E8A1B9AF8647939B2D4504CAD97B523E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:57.093{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26DD76B9C93BDAC93BEAAE10BA6E66E,SHA256=A218F65B2A2DB65B140ED50FFDAD37AA0A9DBDB083CB1E923CB93960AB0C8416,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:56.359{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:58.095{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA011B7688AE7305B669A98BA62287C5,SHA256=75B9D39D9A34E48EEDD997CAD7938874F0BD5847E7B903A99487DA62AE819812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.112{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.112{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.112{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.108{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.108{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.108{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.108{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:58.104{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25828E49CC8FA1012770E8825A2AF1E2,SHA256=6045D4F8DCC6BA0C57621E24D8F4F6CCBC8535C1716310DFB165AAE2F7B906BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:49:59.180{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468968BB544EA000DA2C3D933DE1C855,SHA256=1561031E74656B0B500224E7D4F016E70D74C0459521E003690A237068348C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:59.121{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D5015300B43152AC59D0B254C2A376,SHA256=3207BC5E037475C9E877B202B9F40824BA1DBB35E452E9B5B4425591086735FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:00.257{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BC0F9ED7DD99C112A7745F6C7B2B23,SHA256=F3AE735CBBB4A4AA1F5355708BA6D2030DB07A3E3B686955E9D33E9FA7990E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:00.231{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DCF2D062A90C9C4CFC501453E535FE,SHA256=415798D66B3FF008F80421569AA30262B46051B5219D5CB82431D0CB68F09E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:49:56.568{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:01.330{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F33211C5E7CFF882D9E706C9F208200,SHA256=9EA6FDE646088DE3A6808AA8DEED6D72EEF9D17DA498524291576CED748F317D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:01.433{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3AFEF2E22C51C8DDE39BABF6FEE76F70,SHA256=5F9D03F2BF7A741A86D2D88828DACEE39FBB8BFD477ABAFA95173B93D26CB779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:01.345{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37EF3859BBBC6BAF0535FF8ECF7D8D1,SHA256=65DF7FE561AE53EEF89672A53D3E8AB31F807CB799DEA405D7295C5A203D79A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:02.365{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1CD95A08C4909A6FEF8970A5323A38,SHA256=E5DB71FF0893A5062558A25C2004847BE20B620BF9D0B1C0D29B0505DA83FA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:02.404{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C361984D56742594C21761BC0004B2D,SHA256=FF0B4BE0E5AB790EAB0E19D19907AC7173B14BA9FAA3C7DC11CA2A560003353B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.998{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.994{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.992{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.986{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.985{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.976{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.970{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.968{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.966{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.964{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.959{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000294794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.958{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E0CDF3440EA04D721C8FF456EAB45458,SHA256=791DEB7D7B71EE7006E974F3EC1EB99A6E4DA43F15A50687C85438AA19F23AFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.954{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.942{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.935{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.923{30B46F62-5CB9-6352-AA03-000000008B02}9684528C:\Windows\system32\conhost.exe{30B46F62-5D3B-6352-C403-000000008B02}6628C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.924{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.921{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.920{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.920{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.920{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.920{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D3B-6352-C403-000000008B02}6628C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.920{30B46F62-5D3B-6352-C303-000000008B02}71963356C:\Windows\system32\net.exe{30B46F62-5D3B-6352-C403-000000008B02}6628C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.916{30B46F62-5D3B-6352-C403-000000008B02}6628C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 userC:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{30B46F62-5D3B-6352-C303-000000008B02}7196C:\Windows\System32\net.exenet user 10341000x8000000000000000294781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.914{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.908{30B46F62-5CB9-6352-AA03-000000008B02}9684528C:\Windows\system32\conhost.exe{30B46F62-5D3B-6352-C303-000000008B02}7196C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.901{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.901{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.901{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.901{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.901{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D3B-6352-C303-000000008B02}7196C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.900{30B46F62-5CB9-6352-A903-000000008B02}72606432C:\Windows\system32\cmd.exe{30B46F62-5D3B-6352-C303-000000008B02}7196C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.899{30B46F62-5D3B-6352-C303-000000008B02}7196C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet userC:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000294772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.893{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.884{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.876{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.868{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.861{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.807{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.800{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000294765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:03.471{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32BA8B2AAE688E76DDCE552C77C9793F,SHA256=3BBC3405E4853934C28222A29D1951994E84CB983AE32C0AA8DA836837470A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:03.492{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA67D89E03313D0FD32A53343C867BC5,SHA256=254D9127966A56B480B2A534C387D2635C809F012E74E92457A6A1792E88A0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:04.973{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B46D69632751A841031CA32B1E9922,SHA256=188917AB885E61A8FA5EEE6EE332D5299881F11654F54EC4B7F3E048CFB17B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:04.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE04D3188CA9D027C2D639F87A202EB,SHA256=032B0D65C30CEE19D4C7BD03D7E9054ECC223CD378D1FF9C5ABCDFF22C1E4DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:04.917{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E9C8438C8262E699D88213E588F18B49,SHA256=8437F393DC5A8448D0958A5D5831E5DA5172B9588894E0BFC26EBEC9647D2148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:04.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24E7613763F2E38EA9B28510FBFADD1,SHA256=259958B26CBD2A6C3AA6870055E395E80541BACE283B5BCC868B125FF478965D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:04.361{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:04.356{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000202301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:01.361{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:05.671{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5336647A4AA1770456FE1D7C53E569,SHA256=603A00AD751FC6708559BE9E34C7E352BF1030BF6E734BD099526B515FC6F3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:02.382{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:06.756{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DF51F2B2995278F4D0BA8B86F06947,SHA256=CB90ACE1792EB53BCA6F50133758B93F78E1A4AEAB19DB6FDA35C7CFC0E3C71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.989{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.980{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.978{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.975{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.953{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.939{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.915{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.907{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.899{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.894{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.892{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.887{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.884{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.882{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.880{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.879{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.376{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.374{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.372{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000294811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:06.001{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10629C7B1398EFB3D97ACC48A45CD1B5,SHA256=A06287561E4F23A1B7825467F494AF3A739473A44F0B318226A72DABF769A9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:07.836{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E9222E9E0532EF07A67C32788480F5,SHA256=BA81677A9899208C613847FFA06A8D8875FBEDC22F16F56E7524251470D902EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.129{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.120{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.111{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.103{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.102{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.098{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.092{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.086{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.083{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.082{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.081{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.079{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.051{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.047{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.044{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.043{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.042{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.038{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.032{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000294833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.029{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB0970A482461BEC7D5F75F18A2C53,SHA256=2091412D14D2E4B78B050EB17B6B20EDE6CC58EAF741E6C484369C3C31EB8635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.027{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000294831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.016{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000202307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:08.920{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD1C730BFC4E157FDE8655911B034A2,SHA256=209800CBD04861B979DB42AC12A479644D080CCA024A84CE69F17973D65F0E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:08.046{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4A60577CF8865F8B004D45747BD018,SHA256=5989AF2D940B03E9CC3C39F4DC030FAF641B1239D6789BAEAFB6BC29AB3DA9A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:06.489{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:09.056{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98CF508D1AB857605D1BA0D606DD81F,SHA256=70F1C0A86A152A177E6681FDD186981ADA377D711E10E791805A7E0648B7A205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:09.032{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=FFFF21B44DCF6D461194DAAA56C2272F,SHA256=9B7FADA3DCC39A7497CA32673B80F54BA679D5B06EA29F9ECE180D97AF53639D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:10.007{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BD505445A48E2AB5366DD97D4FE68F,SHA256=F2234C08407B57280982F70AF7E978FBEF7C5E4B29DD75EE4FC0E1B916178A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:07.526{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57331-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:10.068{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C3F32A2F7DE5A9379A222F5EDD662B,SHA256=27D782813AA6F2E557E204AE2E0D7C3B9EED4D0A068F1026DC398D78578304A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:11.077{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37C06BCDB6B9B5E498A6E5AB0CDF5A9,SHA256=60F07336FE659EB173E17B0446510307F7E447594A61654F08A30D7A599E2957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.978{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.973{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.969{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.967{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.966{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.963{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.962{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.961{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.959{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.947{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.930{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.869{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.859{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.846{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.816{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.810{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.801{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.793{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.783{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.773{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.766{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000202310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:11.084{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96276E97E6E4A7A2CB1E7040FA7F912A,SHA256=BDD2C67A40D2F2220A54681CF25AF706B01EA2C2166DA1D4476C7D7E87E82467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:12.554{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F1A42D322C8FBFCBC8233C0BA9DB95,SHA256=8731900016A4B1B761B990E1BE765FAD4BF3106C9E939E809CC8D8332074C8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:12.286{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CD6DD057CC05615ACDB79CD3D279CF,SHA256=380EE7E1E42555D19C54F89623587A4A3F74EF736A2755CCB3738051FBBDC2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:13.655{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27213875F951EF1936AA859024730315,SHA256=E7C150566F76B341848ECA5B65DD78F4A1488312EEE4B1E2FBC855CAA6CCB930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:13.398{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E771744978F7433A91F4DD03CB23C7F,SHA256=68E5ECCFCF0B488E869509570EAE9B5DFBCF029B89393455D6E9F581F24DF8E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:13.068{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:13.059{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:13.059{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:14.739{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACC954D9842DF0C1A1B71C65838CE20,SHA256=36C160EE4A444ED9045CC0ABA844E2190DEDA8BFAF6E2158177A96271355F8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:14.506{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198F82E2F0296545E59AB79825B1BE8,SHA256=E09B9665CB4424A1D4E629BCBBC3A5DE12B264E29DF0CC869DA1BD36A9776986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:14.370{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:14.370{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:14.355{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:12.408{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:15.834{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C927256CF5D5BDAB039E97CD225ED64,SHA256=EB964AA81A55DC44B8D59D6B7A9DAD6D089FCB419F57DD16F485604E68E066F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:15.902{30B46F62-4AFB-6352-2901-000000008B02}4928ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4928.xml~RF51c1a0.TMPMD5=D777C4FF4D0FE2AF046674A553B5BA40,SHA256=4E51C513F20A061CDD46B203229FB664D4B776DAD877EF7FC8069A88A4BEDD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:15.620{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ACA6C72926571F88923CAE755832B2,SHA256=462039D7EA41BA123457DEEA1C86DDE3EF1B5EF219E8538D46ADDEE7EF67D370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:15.374{EFF5EEA8-485F-6352-0D00-000000008C02}7881196C:\Windows\system32\svchost.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:16.918{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350BD0766051F54612A16243C07F55D4,SHA256=CA7969F5D34CFF3DF4B95E0E04C2515D57EDEBF131F9A18752F8C2D33E6B52B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:16.630{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDD26162AEF67DC92F3C8E67DA72883,SHA256=E85111F16673528835A1770EF277C02265CB085E14293BE795EFCA2B728041F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:13.476{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57332-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:17.742{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A1A8D4E72F063B6C2518C25EA37F0,SHA256=C24569DD4CD327764EB96EB378DAF5E8CFE637336150ABCE2DF06393859D719F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.770{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DEA86FEB24538BAB694FF88D2D6E5C,SHA256=C65D5FEC3BE291BDCC5410CAF002E49DE2EED16990D12119A0FA3EA495474382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:18.936{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-086MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:18.006{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBF11905A0A25A907A4851FB284B626,SHA256=55449D7CD1346C573217C55D0143DDE79A1C007292BD2661841433D1822B7232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:19.830{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6198A168C25C6E539E2F735772575D8B,SHA256=6E9E6787AF37A77B5F8BCA2A5EED53CE2DA34B0C3010223E9700BB498C0A4F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:19.962{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EEE2197D03108446C0D337FA1B86F655,SHA256=428E9F71B1C747FA8F8774E2E8727E3D16FE88C2408C31FA1EAEA258D2DE445E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:19.935{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-087MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:19.082{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0122E80656E51293BC0796735B6BF722,SHA256=4549335FD523AF2265594D595956A4300D26DD9DA7D9CA06AFEA4A704ABA5AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:20.935{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA106CF3C2856BE1AC364BBE45F0F8C2,SHA256=08B67B0BA531B035E222717E492DF73827CF4DB712DD4FF5FDD77D568191CED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:18.377{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:20.259{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BCF90014472714F24176AD1723827D,SHA256=97AD7851649AA744DE06C91A56EAFF8080DA68505378023CFCCB1A6A0E09DBE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:21.345{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311886344D7A9F8F75E5FB5C2DACCEAC,SHA256=2A622627539891ADB6EBE80E6ABBC91F0D0BA98FEB36B042CDE546A7A1561AA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000294879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.600{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.463{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57334-false104.16.148.64-443https 354300x8000000000000000294877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.398{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57333-false104.16.148.64-443https 354300x8000000000000000294876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.386{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local63808- 22542200x8000000000000000294875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.394{30B46F62-4D08-6352-6F01-000000008B02}2076cdn.cookielaw.org02606:4700::6810:9540;2606:4700::6810:9440;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.392{30B46F62-4D08-6352-6F01-000000008B02}2076cdn.cookielaw.org0104.16.149.64;104.16.148.64;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000294873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:18.391{30B46F62-4D08-6352-6F01-000000008B02}2076cdn.cookielaw.org0::ffff:104.16.148.64;::ffff:104.16.149.64;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000202359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:22.438{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5782D1FEC29B7F1F454621502CEBE0E8,SHA256=CEB9AE626F7386F61B30BC5F627E23230D5061FB7071734EBB766F46FC9D7500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:22.040{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3883FB322FE4F9276BDD2BA9594E2587,SHA256=2F4712026CA934B3D42B90CD458568DF1A557A0BB3448A5740F538D00872365C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:23.534{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD02688675BA97DB6705FD0070BE53D3,SHA256=DD291E8697666A793EFCA8976A0B8D820F59CE601F86D512498B04910D6C5049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.993{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.983{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.972{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.962{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.930{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.917{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.906{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.892{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.872{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.825{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.822{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000294881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:23.196{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780526F94341DF7E6679E5CBA097C4F2,SHA256=CA1DE6A0179258590A4D2B82F27022178D491540478E3E89E4D8B2FEEA8BF094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:24.605{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05ECDF3494C93398B81211F4D343739,SHA256=D0B7E6E165DF39F17CA52A8189544CB02FD391F4AF5C57496C567F2FEA81F5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.525{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.522{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000294905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.257{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E140676ABD05A6AE43CD7E0B38E0DB3D,SHA256=65B855F2FEE83900F57F78CAFCB6E1E400EB6A88779520B153061937C8A3AAE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.070{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.063{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.061{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.053{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.051{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.042{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.035{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.032{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.030{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.027{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.020{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.008{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000202363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:25.705{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC88DF012207D75454A1D9AA15E8057,SHA256=1A7FB374D0C9C057DA6FBC1D5A46DB0B79971C242D8C5DD85EC13C58C43CCA34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:23.422{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000294908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:25.298{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D04E0466753C5373D38F8B8695A613,SHA256=BBF3BD03868B836E1FE40450DD06408877E9454C13233829CE96D5B1414502F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:26.785{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0083BFC52C7551A94211F7E0B1822BF9,SHA256=05BF6D4B9EE3764A6B191F0B96D21D200E7B761FF6A6969CC886540BB1EF1989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.551{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.550{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.548{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000294913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.371{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A587B42048D4A900E32C79BA10D788C8,SHA256=0B09FA30479DECFC332403EEC65DFA39998E6C75B9329B41461BF80F8E0B1FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.294{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.294{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.294{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:26.279{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:27.856{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E6BC68DD0F75E0FC81025FEE8F9711,SHA256=29FEACAB48F95770B05760BA1FF55EA8392A35375AC7477265DD78B7D644E760,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.706{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000294957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.706{30B46F62-48CF-6352-9A00-000000008B02}48045052C:\Windows\Explorer.EXE{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF802EDA74638)|UNKNOWN(FFFFB88ADB077E08)|UNKNOWN(FFFFB88ADB077F87)|UNKNOWN(FFFFB88ADB072611)|UNKNOWN(FFFFB88ADB073FDA)|UNKNOWN(FFFFB88ADB072296)|UNKNOWN(FFFFF802ED789703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000294956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.706{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF51efc4.TMPMD5=1CBC3FB387CD0E50A7B9C99EB0A76401,SHA256=3E59926F8964FFEC5F4B531C98AEDC91EBF8F4E5FEAC22EA9C567B4736F7CDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.590{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE52F5F8F0725F3F5A63B9D44E4DD15,SHA256=6B09B9455B7200E8FF44FC07DD0410C8B874593484FFBC114FBC90A21E152B79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.265{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.261{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.259{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.257{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.256{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 354300x8000000000000000294949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:24.464{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000294948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.253{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.248{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.244{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.243{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.242{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.242{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.239{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.222{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.220{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.216{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.215{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.214{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.212{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.209{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.207{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.200{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.175{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.165{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.164{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.161{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.144{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.134{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.103{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.098{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.089{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.085{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.084{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.081{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.079{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.078{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.076{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000294917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:27.075{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000202366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:28.949{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6201613D3100437F1EC8B83449D296D,SHA256=25C2311BB42A16BEB44BFCC12EA751D2B3AA8C1AB29125C5213964E5F0B7C7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:28.692{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874FEF34D6A7466CB945B22C14BC37D8,SHA256=CA10DC12E191B30D437C0F9E09192730505BA20A49001DF26372B0BC38CFAEDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.862{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D55-6352-C603-000000008B02}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D55-6352-C603-000000008B02}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.854{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D55-6352-C603-000000008B02}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.856{30B46F62-5D55-6352-C603-000000008B02}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.778{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D20B2C8BE19A0487A18F690CA3087BC,SHA256=82E48940891B6C7A1579041CE4AAAB68A48A81EF9E2AD96001E23A21FB0D77C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.479{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=783D843F668BF56CC400190AAF091DF4,SHA256=864213E4943AE09F9C6F2360C8092216DF374B5CB71C780D12FC3F941BF60ADA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.377{30B46F62-5D55-6352-C503-000000008B02}25368148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D55-6352-C503-000000008B02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D55-6352-C503-000000008B02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.192{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D55-6352-C503-000000008B02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.193{30B46F62-5D55-6352-C503-000000008B02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.883{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-086MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.855{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0A3356D3B4547662BCA3B24378D9ED,SHA256=62600F4ECE415700EED0C9A94AFC3EC6D65F786D93958011F61110462EFE5296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:30.031{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:30.015{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55EEA6E4811E7E7C265E7F043C422CC,SHA256=390BFF6E176FEF15724E49750AAF164F2D16D817422035CDD766B228B521C864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000294988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D56-6352-C703-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D56-6352-C703-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.354{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D56-6352-C703-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.356{30B46F62-5D56-6352-C703-000000008B02}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000294980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.294{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE3DBF25F3E4BCFF464F48B3EDC96D24,SHA256=6224CEE5A72342F22A212D0D97D17BAB41FD07E6E7AA221931BD4DDCFF48E862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:30.154{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:31.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C7D583405BD19A51CF8BECF8DAFE52,SHA256=11475279C5D06B3AF5345744D391D7BC1CAA48FF6440E63CCEE609B07EE67FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:31.883{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-087MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.929{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.922{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.919{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.917{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.914{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.905{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.895{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.892{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.890{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.881{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.868{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.858{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.850{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.843{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.835{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.828{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.797{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.789{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.772{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.764{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.756{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.753{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 354300x8000000000000000202370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:29.326{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000202369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:31.102{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B22F604BFC8AC1880B73FE44C48B495,SHA256=4B651D420BC0E4E0AB02162F147552785F7DF76A430EB765832A1000B101736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:31.730{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D2417FF5B8C7415D276B751111706DD4,SHA256=E4BFACCE6B3C4652C93ACE15D41D7FA9FBFC8C228A958C1A499DD6498139C0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000294996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:32.959{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C12CB705EBC596A31399C5A42C347F0,SHA256=3C10FFCC9872D9386DB945ED805B5FBA69554B1CF45E13CF4DDE24854A98C962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:32.750{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5215A6A5CBA8E590534EDB3ED078C05C,SHA256=A17596AA548FFB861DD72375A0F3063CF9E89231CC032F737740C298EF7B110D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:29.450{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.626{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57338-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000294994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:29.503{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000202402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:33.800{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AEF0EA155BFE975259BA83F21B72F5,SHA256=A3CB33CBAB37AE200FDA07AE845D3078982EB5E6D9028947CCD1199D337FBC88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.401{30B46F62-5D59-6352-C803-000000008B02}22726772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D59-6352-C803-000000008B02}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000294999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D59-6352-C803-000000008B02}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000294998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.214{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D59-6352-C803-000000008B02}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000294997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:33.215{30B46F62-5D59-6352-C803-000000008B02}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:34.882{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B56CBAD31156B409F9F145D0FF52FFB,SHA256=B797F7AD13DF935667D4157B5B25C67629DB80B20DE0E0563DB9B220AA967820,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.749{30B46F62-5D5A-6352-C903-000000008B02}18407848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.514{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D5A-6352-C903-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.511{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.511{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.511{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.510{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.510{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D5A-6352-C903-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.510{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D5A-6352-C903-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.510{30B46F62-5D5A-6352-C903-000000008B02}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:31.790{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57339-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:31.790{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local57339-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000295006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:34.020{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA7ECD7B640C58FAFF5F536D0BD3A3F,SHA256=7949C819E486B3F71CE2BCB89A226036BE04AF736C9644907904A0DB1F0019DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:35.976{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC4B57DFD5D55720BEC06D8467422B5,SHA256=EF00906828660FCA1855E219D2F0968E1093608A598252637DE8CB517D8A4D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D5B-6352-CB03-000000008B02}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D5B-6352-CB03-000000008B02}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.866{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D5B-6352-CB03-000000008B02}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.867{30B46F62-5D5B-6352-CB03-000000008B02}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.541{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0781D84E302115F679209400BFF6A718,SHA256=D8AFF771AE0C605B1D6BA16B0EE441B1F85D7B9E4687872597F5B319CE06E3D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.474{30B46F62-5D5B-6352-CA03-000000008B02}45367228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.205{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3ED9C38A56C74EBEB8FC4591C54321,SHA256=1DE6750AD22F9C68D1212ECD75278EEA331D5841B7791F2493FFB9F2F5196AD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D5B-6352-CA03-000000008B02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D5B-6352-CA03-000000008B02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.190{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D5B-6352-CA03-000000008B02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.191{30B46F62-5D5B-6352-CA03-000000008B02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:36.306{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7171488BD5624B2EE7B41CB412E5B16F,SHA256=22499B90D671E024462CB022AECB4B0B525EA1982760DCF6F236487400D4EC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:37.062{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460F241475760261FF1E48FA139DF11D,SHA256=EAB16AE09AB38C644E74068EEA6A19CF345D72AC77C480F0202D9D3871DC594A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:37.367{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBDD2A338364E7E7C304773823A1256,SHA256=D389F4F4802B73E919798ECCE180F5FD3D539C568F30B168053AFB2382DA5192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:38.144{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC24C8CFE13DD1F84AB1A2B188B93082,SHA256=5AA0AC1E0F0E97E7EE6D24E4D310E313F966879FC8FED62B9CC797457BEBC767,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:35.381{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.827{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.827{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.827{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.827{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000295078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000295077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+212b08|C:\Windows\System32\TwinUI.dll+be770|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000295076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+212b08|C:\Windows\System32\TwinUI.dll+be770|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000295075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.811{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.796{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.796{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.796{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.780{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4efd5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6209f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000295069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.780{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4efd5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6209f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000295068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.780{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4efd5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+3d2fb|C:\Windows\System32\combase.dll+3e912|C:\Windows\System32\combase.dll+63ce3|C:\Windows\System32\combase.dll+3ea2d|C:\Windows\System32\combase.dll+6209f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000295067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.780{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000295066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.780{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000295065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.756{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+517b9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.756{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+517b9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.756{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+517b9|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.756{30B46F62-48CF-6352-9000-000000008B02}42526320C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000295061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9100-000000008B02}43046268C:\Windows\system32\sihost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000295053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9100-000000008B02}43046268C:\Windows\system32\sihost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000295052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000295049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.656{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.655{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+bdcc8|C:\Windows\System32\TwinUI.dll+bdf2a|C:\Windows\System32\TwinUI.dll+beb0b|C:\Windows\System32\TwinUI.dll+bea92|C:\Windows\System32\TwinUI.dll+10a383|C:\Windows\System32\TwinUI.dll+10aff3|C:\Windows\System32\TwinUI.dll+10bb37|C:\Windows\System32\TwinUI.dll+d5d44|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.655{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+fcc8c|C:\Windows\System32\TwinUI.dll+b9d14|C:\Windows\System32\TwinUI.dll+b5a2b|C:\Windows\System32\TwinUI.dll+d5d2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.654{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.654{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.653{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.652{30B46F62-48CF-6352-9A00-000000008B02}48045088C:\Windows\Explorer.EXE{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+b0b16|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.569{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000295040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:35.613{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57340-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:38.424{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECABA8537AF752496951BF50CF95450,SHA256=4FC6DCB7FC658F32789823C7D58A3FCA284D01273B807BCE49A143B2FA6C2891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:39.235{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9869350B5331F96BBBD4EFCDA6CE4C2,SHA256=286E4F165B8556BEC9F81C6EAA106595304FD735ADEB72BA98AA7CD31BAB4CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:39.496{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE931C14488CAF3AA19674C5E585C8EB,SHA256=A802FDEA9EB83331B3A2B9950C27EA58F9A9AE15D374FD9AA91B9683CC3E4911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:39.099{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBE36EDE16A1BB798AE746F97350110,SHA256=6EEC31BF4398C042F69AADBC9BFD6442AE384236F4CABCECCC2919A8F7842614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:40.325{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3933128719CC9F5479A4320422FB7FE8,SHA256=147272370C0E687BE96AC82FD5B3D519556538406A49D48AFE5F1FEBFBA6F6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.774{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F6628EF9F3C9F56DC7B25A98AA7A00,SHA256=6E8599469786BFB55CD631BA19EC0FB0347344AD55CA2572E039983A0BAA00FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.644{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.643{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.643{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.642{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.642{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.642{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.635{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.635{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.635{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.633{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.498{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.498{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9300-000000008B02}43484424C:\Windows\system32\taskhostw.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.482{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.413{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.413{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.397{30B46F62-5D60-6352-CE03-000000008B02}22927652C:\Windows\system32\conhost.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.397{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.382{30B46F62-48CF-6352-9A00-000000008B02}48047256C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\SHELL32.dll+100749|C:\Windows\System32\SHELL32.dll+ff2f6|C:\Windows\System32\SHELL32.dll+f1bc9|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\windows.storage.dll+12c92|C:\Windows\System32\windows.storage.dll+12989|C:\Windows\System32\windows.storage.dll+1285f|C:\Windows\System32\SHELL32.dll+f1c4f|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000295102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.390{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000295101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.357{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.357{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.357{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.356{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.356{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.355{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.355{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.354{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.354{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.353{30B46F62-5D60-6352-CC03-000000008B02}6284C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000295091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.346{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cba0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.346{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cba0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.346{30B46F62-48CF-6352-9000-000000008B02}42523080C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cba0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.345{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000295087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:40.344{30B46F62-48CF-6352-9000-000000008B02}42525680C:\Windows\System32\RuntimeBroker.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 23542300x8000000000000000295140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:41.731{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85763BF22BE01E0438E840A1D8B120A6,SHA256=AC960FCB5BA251F982F93E21A9B6CDD986B2E51DBB7C3BE05CBFA1CDDFAA8EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:41.413{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762371EAB38A39C94C3C365DB6B1465,SHA256=EDCDCC776269E018D8C7C11477664EDA3AAFF71914186826ABE555072C4F4F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:41.414{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D10EC6174D8337DF09A25FDFB984CFD,SHA256=F14A8FE997296669D715FDF9A0EB912B959AB885497257BC646E97C5D89ED535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:42.495{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17F830B49D33D3B3C6C0E13AC74EA44,SHA256=1F23C520CA0A1240B32DC00C7AF4E3F800F1523332EC926EC554119B06005F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.803{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E1043A0E9EF15DC601B00BD51F1828,SHA256=26D2D75A06692BA0228D806E25EF4E02D5ED27E6E20B4945C3A72BCAD4AC1EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.683{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=49F4410615A6AD4B0DDF87137517A3C5,SHA256=0C6295D83CE99FF6C7E65940C497DDF9FBEA0F3A36762CD9DF7A23420FD10434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.454{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.454{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.453{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.453{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.451{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.451{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.451{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.449{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.449{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.402{30B46F62-485E-6352-1000-000000008B02}30892C:\Windows\system32\svchost.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.402{30B46F62-485E-6352-1000-000000008B02}3081360C:\Windows\system32\svchost.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.376{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.376{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-5D60-6352-CE03-000000008B02}22927652C:\Windows\system32\conhost.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-485E-6352-0C00-000000008B02}8326852C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-48CD-6352-8900-000000008B02}31166832C:\Windows\system32\csrss.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.360{30B46F62-5D60-6352-CD03-000000008B02}75327420C:\Windows\system32\cmd.exe{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:42.359{30B46F62-5D62-6352-CF03-000000008B02}7032C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic.exe COMPUTERSYSTEM GET DOMAINC:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000202413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:43.572{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB0A30CAD451709CCFDDEC3FF89C44F,SHA256=514622B53E078D1542508109797AC0234BBA8C4C6129DC44AED24856ED4742A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.995{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.993{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.987{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.986{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.978{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.971{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.969{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.965{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.963{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.958{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.953{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.939{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.932{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.924{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.916{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.889{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.875{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.869{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.860{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000295168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.854{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14EB455AE991661232E28EAB230AE29,SHA256=398A98429EA04A29D895AC6344BAFD9ABDA8947852DBD481A43DAAE165B8E524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.846{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 354300x8000000000000000202412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:40.553{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.798{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.795{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000202414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:44.650{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409394E45DF2D4C1DFD7EF962161A657,SHA256=BBE5B9175591D38EA319D7E166A16C90F8C17103B8732DC640B9D1B817B01652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:44.885{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94394E1292FB7C7436E8393080E93CF,SHA256=B2DA71A8A4B8C29C3C5ED3FDF4EE4F15F9C92527E9955570D340364C7DDE05E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:41.603{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57341-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:44.354{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:44.351{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:43.999{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000295193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:45.967{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685E71E35136D587680687AE8CF9F3F6,SHA256=95D4E2C687436CF426EF3B0BE0DE5060755C60C47C45C56F816EAF8580C64862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.753{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3864E070F28E3B8650D3BAF665A9754B,SHA256=4035A610950437B6B81A1DC2773C1EF19F8257A1A6E5C574EFC9B73A0C61DD16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.675{EFF5EEA8-5D65-6352-0503-000000008C02}39603500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D65-6352-0503-000000008C02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5D65-6352-0503-000000008C02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.471{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D65-6352-0503-000000008C02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:45.472{EFF5EEA8-5D65-6352-0503-000000008C02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.976{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000202458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D66-6352-0703-000000008C02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5D66-6352-0703-000000008C02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.770{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D66-6352-0703-000000008C02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.772{EFF5EEA8-5D66-6352-0703-000000008C02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.708{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0B8C8513F39B6A61ADC5F19042BBB4,SHA256=5D533CF4C143306912583B70EB2F1EE4CF56422BD10FBC3711D323DF0CA1F1BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.964{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.955{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.951{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.949{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.945{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.944{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.943{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.941{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.940{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.426{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.425{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:46.423{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000202444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.536{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD1A4FBF83744EF236AA9E54FDF8718,SHA256=5EF9DD176E016C75C4FD1872698C7FAF5BEDFD2B61D5F10AB46A358FE70D4535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.444{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CFEFD31F3AFF71A5CC5BF998B263D4F7,SHA256=D3CB698A3D6A37771E71B56B6971FC255DA1C94118F541466F20138EDC7D08B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D66-6352-0603-000000008C02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D66-6352-0603-000000008C02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.143{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D66-6352-0603-000000008C02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.144{EFF5EEA8-5D66-6352-0603-000000008C02}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.888{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DD0AAF8308DBBE041AA0914F806E2E,SHA256=3D64B71FE4FA20DADF8F8B52E206126F92F10C8288C0637D88234001DF54388C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.172{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.172{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.169{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.167{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.164{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.163{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.162{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.158{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.155{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.149{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.148{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.147{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.146{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.144{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.123{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.119{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.113{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.111{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.108{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.104{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.100{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.092{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.059{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.051{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.050{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 23542300x8000000000000000295210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.048{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD7C039CF3862F62CCCAE8F39A460D0,SHA256=561A7C54972A90E84680316260D8AF732E1232128A49ED81132832D47A2BC2B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.047{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.025{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000295207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.011{30B46F62-486C-6352-2D00-000000008B02}27203472C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A43D0) 10341000x8000000000000000202472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.623{EFF5EEA8-5D67-6352-0803-000000008C02}35201860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.451{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D67-6352-0803-000000008C02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.448{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D67-6352-0803-000000008C02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.439{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.438{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.438{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D67-6352-0803-000000008C02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:47.437{EFF5EEA8-5D67-6352-0803-000000008C02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000202501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.935{EFF5EEA8-5D68-6352-0A03-000000008C02}32243240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D68-6352-0A03-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5D68-6352-0A03-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.794{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D68-6352-0A03-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.795{EFF5EEA8-5D68-6352-0A03-000000008C02}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000202487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.335{EFF5EEA8-5D68-6352-0903-000000008C02}33243396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D68-6352-0903-000000008C02}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5D68-6352-0903-000000008C02}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D68-6352-0903-000000008C02}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:48.123{EFF5EEA8-5D68-6352-0903-000000008C02}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:48.224{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CF4224BA1297F9333E76109A65CE48,SHA256=8C70894157C184960FB754179A9CE8C2309B0D6E0C2E06703E47BF251CC19432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.990{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936A75427A1ADEF550AEA746A171DF98,SHA256=6E7DD1131E2F3E2B3EEA64704437E5AF1763DECE78143210E072C4E51977D80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:47.522{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:49.242{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A637B8D79B34863E241EA564600D19D3,SHA256=285EF0A9E86FCB1A516E4B59565E99D1D56E456ABFB39C27ADF57E8EC6318E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.521{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C1B68209B73C14B3FD4551FC2F7894,SHA256=E9DA6F2E2C95C0AF17765348CAFC2D1F57E08B882B7E7E5FB0022631B57BE491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:46.471{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000202514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.465{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5D69-6352-0B03-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.464{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.463{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.462{EFF5EEA8-485E-6352-0C00-000000008C02}7242772C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.462{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5D69-6352-0B03-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.462{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5D69-6352-0B03-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:49.462{EFF5EEA8-5D69-6352-0B03-000000008C02}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:50.327{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C2A319DE5BE3961B3322D367D489F5,SHA256=0F915E40FBD6269BC901391E25CCD0E42490E1C3267766577BB80955C0070ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:50.052{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E22DCE8E5F1B701D8EB09AA174F9900,SHA256=99DDDA46784CE6464AED5FD2C2A363497FC616C27A6402ED6CD9A55F6B36F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:51.412{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24179710D1A33C38673B6C01D40A152,SHA256=CB7D6832436248CF9E9AA9520CE6932ECDFF112F90FA406946D0B4A631EAA0F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.922{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.920{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.916{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.914{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.913{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.910{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.908{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.904{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.888{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.886{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.878{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.864{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.855{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.847{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.841{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.833{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.827{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.793{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.785{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.776{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.762{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.756{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 10341000x8000000000000000202520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.753{EFF5EEA8-4860-6352-1F00-000000008C02}12003168C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012839150) 23542300x8000000000000000202519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:51.085{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF2A8D069BB4F46B8BA09A8566B5B5,SHA256=A1A8536FD19D7C2DE7875B2F4DD3EF1A1CF8D8B2C6C619E05BB88F1E68E37787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.594{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57384DE70C42EBC7085C5EA41DACA5EC,SHA256=8079BB1EF17DE459C33DD0A94D79E7D98925774CD6708AEA1E703E456B30007A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:52.265{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5B4F4D2D4350069E989088BD8584E0,SHA256=485FBD78F52A2C285243CB9C6703CA96BD42D6ED00E020D92E9AEC487C4450F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.089{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F77D24B48E72B04A1657E60A37D93774,SHA256=2F80EED4F0E25B33C67A77140C2438441305D0B42C00EA5ECA15F05DF35267C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}4804656C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:52.073{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:53.648{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71621842EA1A9333D165F3145DB20047,SHA256=42303C818E0BFE03446856F6A100BFE283EE41169403DE5CEA8895DAB6D3697C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:53.349{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E6493493673B79F922DDF9247F7A0,SHA256=257456BB5C868AAFC7AE7358879A5A464853E0D45F2A6DE0976F97C7A3DE4C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:54.750{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDE84BEBD03F3B27BA568C3AF8E2D2B,SHA256=86FB917843333B585BB2D4A25C237AE56ACA2A60B5E5A7C068D84621F406C5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:52.353{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:54.424{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A29038A98FD5167021A55EDD5FE183F,SHA256=4F09E5A1CBF93E443B93C227E29ED5D1706194C99287E44FCD564DC1391F8D1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:54.645{30B46F62-48CF-6352-9100-000000008B02}43046268C:\Windows\system32\sihost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:55.836{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1919954B8331B2E17F66C7AF91714247,SHA256=DA7D9B3E61323A67BD78BA4DEDC190F950AB424E04676CB79AE2615E7548DF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:55.506{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B2A448CC0DD748355215F570A40012,SHA256=FDED785E79BE16E9E488D06C632644A311E1FC907B66FF41CEAE351D6AD0FA1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:53.485{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57343-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:56.923{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A15AB8F3C05FD67CA73BC551EA2FC0,SHA256=2E2AFB07932E9CC441606A121BA73C924D498633220E09FC799882AE5DB1B13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:56.585{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B475448372562EC1DD2F64AF23039119,SHA256=FACA5939E098348E986D65AE7BF25DF422ECBAB2406440B2F33753AD8019C6E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:57.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A898279779C8558F9BA37EEA576AF,SHA256=0C519A7DA3FE3EFA81521DC683CCC41417646E781BA35E975892A26513CFA309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:58.742{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463F7C289CBE726C44903A3E544AD800,SHA256=1A03558C3BBDC9971E1A63BA0F81F4FBB86F0D618F8B10C003B5140C04393523,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.903{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txt2022-10-21 08:50:58.903 23542300x8000000000000000295262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.903{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.903{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\AlternateServices-1.txt2022-10-21 08:50:58.903 11241100x8000000000000000295260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.877{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:50:58.875 23542300x8000000000000000295259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.877{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000295258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.876{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\SiteSecurityServiceState-1.txt2022-10-21 08:50:58.875 23542300x8000000000000000295257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.000{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C979DDF4EB65755E3A02D652CB6984,SHA256=989E62110A4317B016B5FD71E55BE7032DD4DE4FF9D00684AC9EF5D96A8FD319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:59.830{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F60D969A70BF6AF026E7E16F816F339,SHA256=C2A29B20D9932B4D4C5A3BA541BF6E15804FA2A2FB6FF5419DAAB343330FF751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:59.121{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=39B0C5B890590FA4FEA19166BFA20780,SHA256=C5437DA45884FC3E93D8196D8E08793840157EDFEBEDAE81D09FC01DA470B6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:59.042{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A7F642ECBAAAE01FEA3FE73DD51C56,SHA256=368BE7304861B524096EEDC277053267D5C48843AE61600D300C5EB8E38D5CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:00.922{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E603FCAD2A0DDAF0E7B1281F8B71D9,SHA256=F0C5F2426E84F30ACD8516309A2BE06FE751AED512AC741D50FDA1ED4C81EEED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.703{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51962- 23542300x8000000000000000295266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:00.106{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFCB1A8965189C14F605B2781A65524,SHA256=8ACDF0AFA90FD8ED74EB68BD4A9E8ABD83D45A4FB4FB757C9DAFA4642746AC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:01.962{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D1137268F9FDEFEE2442F3344DAAF8A3,SHA256=0DE41B39EE42EA0FB789500E791F326A868C31FDFE4DFE519ABA68F691EFDD6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:59.495{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000295270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.718{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57344-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000295269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:50:58.705{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50494- 23542300x8000000000000000295268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:01.255{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C491358D4705CCFA4786BE113D9FD1,SHA256=B073C90B3B78A765A42A2C827B3D89CC727A5A9ADBB0ADCD8926F2EFE26B673D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:50:57.560{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:02.307{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D68C0FFC545D85A6D5E2061E8E6F26,SHA256=2F66E1DBD278776D907C298C0308E731A3AFF0378643F4A85E54DD23AF7CB814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:02.010{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03972A1998979F8154B4312562F8D14C,SHA256=1F5EDF9764A3C90DF155CA23342161905A685C22425C7A8738DC083A2674D6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.991{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.961{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000295283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.958{30B46F62-485E-6352-1100-000000008B02}688NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D4645CB0C24046B1DFE11BAB58CCCFB9,SHA256=D5B5E71B07CFA8ED40488C25D719328CBD00D274C390DBB5904F51A427455C2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.944{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.933{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.920{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.882{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.854{30B46F62-485E-6352-1000-000000008B02}3087452C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.854{30B46F62-485E-6352-1000-000000008B02}3087452C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.797{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.794{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000295274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.363{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB3DF4553745C1C2BCDA87C4A946FFB,SHA256=2D32C4F851689A0408AD0E9CE5A3BBA74FD14DCF21F20B7F7322A9F90A29A981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:03.097{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A633536616F7971A2A620EBE2D54B9CC,SHA256=7AA70C0E89D74610CE6CCB1C9AA7F61267646A522B7DDED86EBACD6F9AF12373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.759{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12DA1B1262003BD7603F1F72DD18E98,SHA256=23BA3593A36AEE31AF25FAF0877469CB7F49467201C8347BC96F710733977D26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.517{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.514{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000202580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.927{EFF5EEA8-485F-6352-1200-000000008C02}1008NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2088E9753B4EDDB0565D98428F913C6,SHA256=5A748DAF26F5E119A2541B23EF69C0D58D506672469B0212A32D09810277D6CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.521{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.521{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.521{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.521{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.521{EFF5EEA8-485E-6352-0B00-000000008C02}628676C:\Windows\system32\lsass.exe{EFF5EEA8-485E-6352-0A00-000000008C02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000202574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000202573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000202572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000202571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\LeaseTerminatesTimeDWORD (0x63526b88) 13241300x8000000000000000202570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\T2DWORD (0x635269c6) 13241300x8000000000000000202569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\T1DWORD (0x63526480) 13241300x8000000000000000202568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\LeaseObtainedTimeDWORD (0x63525d78) 13241300x8000000000000000202567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\LeaseDWORD (0x00000e10) 13241300x8000000000000000202566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\DhcpServer10.0.1.1 13241300x8000000000000000202565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000202564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\DhcpIPAddress10.0.1.15 13241300x8000000000000000202563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:04.521{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{cc71a708-9155-46c5-b188-0bd188018f27}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000202562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.190{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB67B0ACD0D11BC9005D3259F1BD08C,SHA256=DEC15929D567D14A71FF653D91C00BA0A6205C10C2DAEB697EFC4F93D87F9493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.334{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\86ltvkez.default-release\cache2\doomed\24767MD5=6B5C492A328AE74337C840B38CC4C74E,SHA256=8748C7355856DBAFB4AE411473036C5026401FFEAD99F7A30EE81CD2E1FCDF2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.112{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.106{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.102{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.094{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.093{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.082{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.070{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.067{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.065{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.059{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.054{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.048{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.032{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.022{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 13241300x8000000000000000295298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000295297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000295296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000295295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\LeaseTerminatesTimeDWORD (0x63526b88) 13241300x8000000000000000295294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\T2DWORD (0x635269c6) 13241300x8000000000000000295293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\T1DWORD (0x63526480) 13241300x8000000000000000295292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\LeaseObtainedTimeDWORD (0x63525d78) 13241300x8000000000000000295291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\LeaseDWORD (0x00000e10) 13241300x8000000000000000295290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\DhcpServer10.0.1.1 13241300x8000000000000000295289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000295288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\DhcpIPAddress10.0.1.14 13241300x8000000000000000295287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:04.003{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9288ef2f-55eb-4c32-8095-ef3a60702794}\DhcpInterfaceOptionsBinary Data 10341000x8000000000000000295286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.001{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000202583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:05.730{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4ABC06926FC9FB91A6A5E0D71D602A01,SHA256=7BBFE0AE28316D00E0940DB5E0082E090EB266CF88B8FB705C5B141B4C997C87,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000202582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-SetValue2022-10-21 08:51:05.543{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e52a-0x415d0650) 23542300x8000000000000000202581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:05.277{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87315A1208E5536418A27AA26D1E46B4,SHA256=B55F3B61E4716C5F744B68C11C0A8E4840B2EBC84B6799D02DEEE7967DA1ED2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.576{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85F2FF191CE7F3145441AC30C6792E7,SHA256=D8222A1C953F739BCE85CA80F7FFCAC52BC117D1993C2FB680C6032205E51A46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:03.374{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 10341000x8000000000000000295318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.010{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.010{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.692{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947EB2201C01E9D954714AA8D26C137D,SHA256=8C5CF8E75CF7B3339A630F19C020FEACA55847E0C2BE160E4C0A8B57960B566B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:06.365{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EFF5FD29F1B89213FBF91ED5E70C25,SHA256=4C18791AC6CD5DEE606861862084AF872EA91F1DF7B39F50E02C9860B61008E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:03.857{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:2801:c428:8a88:ffff-63115-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000202586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:03.857{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:3120:1e3f:76c8:14d8win-host-ctus-attack-range-144.us-east-2.compute.internal63115-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000202585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:03.831{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 354300x8000000000000000202584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:03.525{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.555{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.554{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.551{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 354300x8000000000000000295336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:04.539{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local57346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.135{30B46F62-49FC-6352-E200-000000008B02}1264ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\new 2@2022-10-21_085059MD5=D3AE4CB14A5BE9142CA1103302E4D3F1,SHA256=B08092563DE274EFB92C1B0818CCF0F904840CA78B05EE2D1AAB340704ECCE20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000295333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000295332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000295331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\FlagsDWORD (0x00000002) 13241300x8000000000000000295330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\TtlDWORD (0x000004b0) 13241300x8000000000000000295329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\SentPriUpdateToIpBinary Data 13241300x8000000000000000295328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\SentUpdateToIpBinary Data 13241300x8000000000000000295327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\DnsServersBinary Data 13241300x8000000000000000295326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\HostAddrsBinary Data 13241300x8000000000000000295325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\PrimaryDomainNameattackrange.local 13241300x8000000000000000295324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\AdapterDomainName(Empty) 13241300x8000000000000000295323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\Hostnamewin-dc-ctus-attack-range-188 10341000x8000000000000000295322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:06.035{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000295321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:06.035{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{9288EF2F-55EB-4C32-8095-EF3A60702794}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000295396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.888{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488302A8652B9896C20470541B01F9A,SHA256=01C09AA997BDC82F662CB685F68602F47D1E5728F2DA94C217B0A3D921CA3DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:07.456{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251428D304F488F71B90C59D0BE2C8F0,SHA256=76A173C934BFB29188982D47ED830B5ED8A0F37441543B9251F6A9BBA4855916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.424{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local61669- 354300x8000000000000000295394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.423{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58400-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000295393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.423{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9830:5aef:2cd:ffff-58400-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000295392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.423{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local64447- 354300x8000000000000000295391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.422{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58400- 354300x8000000000000000295390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.422{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local58400-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 10341000x8000000000000000295389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.258{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.257{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.255{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.253{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.250{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.249{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.248{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.244{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.241{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.237{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.236{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.235{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.235{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.233{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 354300x8000000000000000295375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.417{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51835-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.417{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51835-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.416{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51115- 354300x8000000000000000295372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.414{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51834-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000295371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.414{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51834-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000295370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.412{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58400- 354300x8000000000000000295369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.412{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local58400-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local53domain 354300x8000000000000000295368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:05.412{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local50099- 10341000x8000000000000000295367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.215{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000295366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.214{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=157547784164E9F627ED19CE9D8CB513,SHA256=19F3D6F6143183DB09F4E2A8B638FDF0942C8ABE4B2130D2D0BCCFFDC408E765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.212{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.209{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.208{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.207{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.204{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.201{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.198{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.191{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.167{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.158{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.157{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.151{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.136{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.127{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.098{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.093{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.083{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.079{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.078{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.076{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.073{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.073{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.070{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 10341000x8000000000000000295342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.069{30B46F62-486C-6352-2D00-000000008B02}27203404C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000136A4190) 23542300x8000000000000000295341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:07.052{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A77CA91B345285E11ECA6029D4D8875,SHA256=D27E2E005E399D654BD2FCD44F16C07DCC3749AB5469AAB00A563ECD76D97CDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:04.837{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000295398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:08.939{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21501D04A2CBAB890E8B3E1B244F9421,SHA256=EA6C9209B3345100A06B36ED2170465651EAC3D1F8E548CC0F179956E8EFCE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:08.543{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E948170BB6C661B8BD544DFAC05779,SHA256=C5B5AEBDCDA14475BE451122C37CF36545834ECEA53819A13DD72E38C7E67B22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:08.570{30B46F62-485E-6352-0C00-000000008B02}832964C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:09.618{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F091F6CF1EC643DE8B9E4541A399FE5,SHA256=2CFCA4B685DDA32A23462F051A99E6E0623F777C94E326C38EABFF9E4AAF12F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.615{30B46F62-485E-6352-0D00-000000008B02}888908C:\Windows\system32\svchost.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.515{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000295404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48046884C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:09.141{30B46F62-48CF-6352-9A00-000000008B02}48044136C:\Windows\Explorer.EXE{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:10.712{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD175AE73B25943D820ADBF1EFF77516,SHA256=A7CFF60C07C5137F6A9D1220FAB18682095F6FE857941423C7337CE2283C2289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.117{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4C0FD1BFAF9971BF8B97176BE970A0,SHA256=38ABB1184C7DA3C023EC79C1D50D52541B976873784802744F2894255B017543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.997{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.994{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.988{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.983{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.982{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.975{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.974{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.972{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.965{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.955{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.949{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.938{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.926{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.924{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.913{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.907{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.900{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.882{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.856{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.848{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.832{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.808{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000202598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.788{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFFD7589D238EA4BBB1657DDA8797D6,SHA256=F4DD0AEA4670F77F13548262DC70C73AD53D4EEEDC21EB6A58126FBAB32A7514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.778{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:11.767{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000295452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.821{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B73AD4F1F827AF041C2EE2BAB2ADA9A,SHA256=7CEB661F7384E931F075D933E0D3E7EF409DDF77E695861BA743FCE0D9DA5A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:08.890{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51836-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000295450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:08.890{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51836-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000295449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.457{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.457{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9B1F589047687864DCF095B8ABF28C6C,SHA256=538E93193148C8B239654BDDDB89E46D36397CEC3C708D4F9399D4F18F260C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.158{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41A9DCB7AADCAE1630712DFD7C31779,SHA256=25518F9CB18292CF29699ACB4E59D19C9D0E09B77E0C3F328BC7FF8C23B65930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:09.381{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.056{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-5D7F-6352-D003-000000008B02}6900C:\Windows\system32\nslookup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.041{30B46F62-5D60-6352-CE03-000000008B02}22927652C:\Windows\system32\conhost.exe{30B46F62-5D7F-6352-D003-000000008B02}6900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.041{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.041{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.041{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.041{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.025{30B46F62-48CD-6352-8900-000000008B02}3116760C:\Windows\system32\csrss.exe{30B46F62-5D7F-6352-D003-000000008B02}6900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.025{30B46F62-5D60-6352-CD03-000000008B02}75327420C:\Windows\system32\cmd.exe{30B46F62-5D7F-6352-D003-000000008B02}6900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:11.038{30B46F62-5D7F-6352-D003-000000008B02}6900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.attackrange.localC:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x8000000000000000295458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.440{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51298- 354300x8000000000000000295457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.436{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51297- 354300x8000000000000000295456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.434{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51296- 354300x8000000000000000295455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.434{00000000-0000-0000-0000-000000000000}6900<unknown process>-udptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51296-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domain 23542300x8000000000000000295454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:12.218{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D14D492D03671EA5ADA2E80E7850A0,SHA256=4AA9398294A54CA5F6D44B0F25E04CB4C464B6B2C6483930156C36F30C0F631F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:12.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC67586176E2F517A9E243A555FF70CF,SHA256=50E4D9E8CF845C8361F44E91669A29ACC7BA5C221466A0C92E57EDB782CF1A71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.463{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000295460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:10.441{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51299- 23542300x8000000000000000295459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:13.295{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D9DADC8D607504C86A3BAB124EC4F8,SHA256=FAC31C1FA88006389BBE0A2F3D3F59316B492FC6BB2CEA97F64DE2BD7F667B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:13.127{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB8E6ADDDD040969A74AE4E077DD264,SHA256=81CF6EF378211DB8DC7B6B62B5E4D82D6DD1D03F3C078F935A53CBAB98800B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:14.345{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5EA2A8A1FD8B164710C5D5DB090B91,SHA256=E331497FC938610B3330A0069DB95367943774EA0FB3B610F3B1BC2EA4249A5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:14.355{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-1F00-000000008C02}1200C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:14.179{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CF0313BF9CB1AC7C6A66B05D8D4676,SHA256=D3FD0E0B6DFC387F099FA2AD124B7B3AEF87CCCD95A66DFE9E6BD1DAF579F8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.406{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441DDC685D05E2AE55418C4F6AF8CAE6,SHA256=8CADC7B0028373F48F8861AFB82D5E9A9D2BFB1DC59BF957C203D68527D7AEFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.379{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.379{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.379{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000202628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:15.244{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDA7B3A6FCBB3B655FC86BDDFAAC779,SHA256=77AA2F0BF4B537B5D6A9D607DEFD6B916C9FB6FF725C1A1F732EDED8E5A977A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000295474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.363{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-5D60-6352-CE03-000000008B02}22927652C:\Windows\system32\conhost.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.348{30B46F62-48CD-6352-8900-000000008B02}31164056C:\Windows\system32\csrss.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.332{30B46F62-5D60-6352-CD03-000000008B02}75327420C:\Windows\system32\cmd.exe{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\system32\qwinsta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.346{30B46F62-5D83-6352-D103-000000008B02}5604C:\Windows\System32\qwinsta.exe10.0.14393.0 (rs1_release.160715-1616)Query Session UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationqwinsta.exeqwinstaC:\Users\Administrator\ATTACKRANGE\Administrator{30B46F62-48CE-6352-01B4-0B0000000000}0xbb4012HighMD5=D36DBFEBFDF8580FD6A3945548DC2208,SHA256=4E4F3651C108BB2D3B660DC1FE492373EAC23BC9D4C79B2D65521D03732797C0,IMPHASH=374BAB87D27C0874C5C374A1D2C1F399{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000295486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:16.464{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02109B8A2B524BE75D144AFC5BD730,SHA256=8F59A8345B47F67A274BDDFB65C15F95A8E98EF4539D1C7E7F093623EF10BF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:16.329{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C4F15AF17993FBBA5CDB005DC39AA2,SHA256=A3D4F878174E746D0CD89B600B54A557DF918F21B3C2D4AAADC74B7C429A457E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:15.498{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:17.525{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EB2F9DA219EAB68E0F0EE20E485387,SHA256=19A4E258D6985A9C9C97A62C3F698F2D8097A60A4A83AB917210F2A609EE2B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:15.363{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:17.408{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9933F2BE515CD49CC3A5DACCADEA53,SHA256=42D7EA4DEAFCEA69EC6F1CCDF103A24793F780B76AA406993F5B96FCA5C3C98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:18.566{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B144B5ABC576BEED61DF18F0437CFA,SHA256=B41FF222003199ADACFDEF8548B03CE414381C3CBA9B1FE71F2606FEED4A002C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:18.616{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8930A8410C4FD424F3E0B62584C94F4D,SHA256=74DA6921510A839CF3FABC9A0D705872A49208B25EB7B21A09232FFCF86CAF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:19.628{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9505F100A2B11419D352841DACAAB698,SHA256=3547C6109F43D53D52928CC2B926916B14B7953830826C6CA2878C73B8342C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:19.685{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971CC3DCF8928E1017676CC8D26D185D,SHA256=C76FA9F0301F34BCE988E48CAD3D2F2944E8D7BC2CB8F873C0310357E7148F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:19.238{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=957B6605A94946901373CDD4A4600EED,SHA256=07642A4AFD6E4A9874D93D782A998CD3E4FD84513AF8D3AEEAEEBB00EE721DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:20.769{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB03312B24371389D1B3039354B844F,SHA256=8F91B9B758ECAC5381AD0E78F86E8D803FD74EE3FB43DE952458FE04ADA161CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:20.738{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A7F36C9389DBEB13C064520629B3E9,SHA256=39163B8BB893EB4E8952E3F404F208F98E45FDCE7F395C2BDBEBDEBDCB3E9961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:20.463{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\respondent-20221021072107-087MD5=11E8465A834C19CCD571B4FFCA4D745B,SHA256=136E7EB7A08AE75A508248B384158FFCB43602C4B2D9F7383CC5E3C458E4206C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:21.862{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B685AF4B76ED8FDEE0B5841E3239AC38,SHA256=735045F326D42577E79CF198DA3058276DC91708089A69E09CB755B90C49E88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:21.971{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=D3C4F1F196853801A9057ED7D00D5894,SHA256=33CA7BF520B4D90E287CBDE2AB2F5ABB66A5F1BD0FE08CF58631E0E75FF9915D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:21.889{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D570DB742F69A66C8437B237F502E3D9,SHA256=47B663F7D9781684EA748633D777F6A0DE4F30A9B4E9C5210B3E98B01E91E4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:21.466{EFF5EEA8-4860-6352-1C00-000000008C02}1980NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d91ec1bc7f8f87ef\channels\health\surveyor-20221021072104-088MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:21.287{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D9527111AB4B801F14073E87F809E8,SHA256=4DE00C0DBB4868668A19D0FE0AAC43449EBFF828F8127393F7BEB6D423BF3BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:22.957{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BB309DC9B6F2E5F451A0B3167F03D0,SHA256=585B083F3DE3CAB098173DB64F6F2EDFFC741A4565A0292BBBC3B367EF439426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.989{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.987{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.976{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.968{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.966{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.964{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.962{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000202640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:21.336{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:23.165{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3853E350E2F2E4CAB683E2A3D504C664,SHA256=46B0D25E5623F9683F10A1FE13953560F089CDAF19595925EA892AE592471A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.956{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.950{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.937{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.928{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.919{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.912{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.885{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.870{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.862{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.854{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.844{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.804{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:23.800{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 354300x8000000000000000295496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:21.505{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:24.240{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DBBDE1E4656325CCB31F03775FFF3E,SHA256=54677B4FFDC9F398E5D07BD31698B5286D2F6B4800E764F9D5E4F4F985D7D1A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.432{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.429{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000295520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.019{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210F7872AF5C737C9E9C6B9480738A64,SHA256=FC61CEE2B4B978A11B230CABA71656E4B4217F810CA8E98803F1AD2869DA4BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.009{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.002{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:24.000{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000202642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:25.330{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBEB7ABA7990A8B4EFE0C9C53178DFB,SHA256=A7A9B8F718CD73FC538B1CC015EDFFDCF8DB5F9DB82D0EF165853A4EDC9072B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:25.060{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F334B0503BB2FCB71A59A957789BB72,SHA256=EBEF3340310C1EF9A905C2D6C9A1E5A7AF423259DEC3C7D3C23A112B7461EAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:26.424{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D53855561EB8C6A9856ED958DB09095,SHA256=51A0EB87E23B48CE8813AB502A653D00B0AC5DE8B67C0F9A9BA27BD36CCC6E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.999{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.998{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.994{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.993{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000295529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.992{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=63891030B1E3DE24AA69CB697782BD57,SHA256=6859401C815BAA532F0D46E6877F2C7D5B70B5766657709E10EA780529ED90A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.480{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.478{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.477{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.276{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2D00-000000008B02}2720C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:26.162{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCCD599C4579579456DD8D3314F586A,SHA256=C66CE1BC9F88AA2B8F35B3E77467FEBCAD999349681E2874F0BD5646F906F91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:27.504{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DA1CE3606D07729D87F0938B2B4D7A,SHA256=59B57A85B25655814DED658D8B93BA1D80702D41A9F23A14BE727C5C90EA3CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.259{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.258{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.254{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.248{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.244{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.240{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.235{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.230{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.224{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.219{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.218{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.216{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.216{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.214{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000295555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB12BA96AEC4E177EEB1B7AABCE255A5,SHA256=73193878CCFD777F1FBB430A224A5550C7288627BCFDD092E6BAE1D3C59FDB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.193{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.189{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.186{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.185{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.183{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.180{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.176{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.172{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.159{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.133{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.125{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.119{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.113{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.093{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.074{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.040{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.032{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.018{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.009{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.008{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 10341000x8000000000000000295534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.002{30B46F62-486C-6352-2D00-000000008B02}27203400C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013439150) 23542300x8000000000000000202645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:28.589{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC1CC398A3B97E13243788B844ECD55,SHA256=D0003C66D20F653ED0304A23521734F3B17A61565256FBBBB229F8847CD90A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:28.317{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A22E206EE466FE586C5C8FDBBECC3,SHA256=FDDF983EACF4296E22FCCE120DF469D9CD7F490F8111FA0E5ACD43CF528280C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:29.661{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FBC9D9B4C2292C1157A79FD0376D41,SHA256=5C84714868DEC6D87B4D8CE41EC980CCCBBFB3E20D4BAB520105B84457BB7921,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.880{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.881{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:27.514{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.424{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64393A75DE1977B0A649FA777F414406,SHA256=844795CC5C20F82A168A85E8D8ED79E8D2A00FE207C4BF38782822AC056D0731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.412{30B46F62-5D91-6352-D203-000000008B02}28003416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:26.469{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D91-6352-D203-000000008B02}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D91-6352-D203-000000008B02}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.199{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D91-6352-D203-000000008B02}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.200{30B46F62-5D91-6352-D203-000000008B02}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:30.734{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5982A4BA16031171BD7D89DAEB338455,SHA256=463E2D9A2FEA5325755D373FE9D4F9A777F4137E4FCEC7735FEC082CC485D773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D92-6352-D403-000000008B02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D92-6352-D403-000000008B02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.541{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D92-6352-D403-000000008B02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.542{30B46F62-5D92-6352-D403-000000008B02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.496{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CC21C4F2102F593E8CA6DB32EE9ADA,SHA256=377D2C41E3F92A122FEDEC18753ACFD3DB6C31ECE34F70FF6040439467CFFEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:30.052{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.241{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E21350FA7B70A18A6F5F6908A3EC8000,SHA256=611CD78A572F1865D3241FE5B74A366D7E13696DC4A2526F630536E6683714F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.180{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C6660BB16207F3D280C401E0769847D3,SHA256=267E2D3302921544F84A15429A8D6BB76471B0F3C809E0D3E19F5A49C583DE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.065{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.064{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D91-6352-D303-000000008B02}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 23542300x8000000000000000295590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:30.045{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=712293257B63EA3C1933CED1810B27A9,SHA256=5E8D32C8C0CB716E62CD10DEDEF8983460452335F1657BBEE73B8066D79C59D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.940{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.937{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.935{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.933{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.932{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.929{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.928{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.927{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.923{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.921{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.918{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.901{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.889{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.863{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.842{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.830{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.823{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000202658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.820{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36285D306BDA1F9324BEA8A457D5BAF,SHA256=9702651F6D01EE5DD0D8BD856B70741397ED947EC75B4EAA412FD3A2CF34EAE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.817{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.794{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.788{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.780{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.775{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.768{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.760{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:31.758{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 354300x8000000000000000295610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:29.539{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51841-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000295609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:31.516{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D91190C3BEFB6DE947AA115174E20BD,SHA256=C8892C5B9DF0E449F3159AF6175FA45793D812153350BD69DA5A1DAB88FDFD5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:31.164{30B46F62-486C-6352-2E00-000000008B02}2736NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4A34CF7179C11DE16458A6CE8C99DD10,SHA256=C7A3539E3499B96F4F8C511ABB96E91052FB9C194916E6AA87EDA9AACCD6F418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:32.564{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B2A5C099D8B2C4144EF9D5402DE87C,SHA256=A3CF59130582563FFE514BB98499B6AC557EDCD4B523CC24C30145E183A577BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:29.345{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000295611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:32.415{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\respondent-20221021072119-087MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:31.791{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51842-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:31.791{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local51842-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-188.attackrange.local389ldap 23542300x8000000000000000295623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.680{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A1052F39A4413CE35949479A47410D,SHA256=B2D65B03D80138676267AEAB445569A90F851F31AFF6107611DE5389E6A37D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:33.153{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D47BC981AD592BFBC193103854618C,SHA256=D8A795C4C3E0F13417C58E0A48426F704596E711BFCA4461DA011A514C460850,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.440{30B46F62-5D95-6352-D503-000000008B02}71724392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.413{30B46F62-486C-6352-2A00-000000008B02}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcef188573bb736f\channels\health\surveyor-20221021072117-088MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.216{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D95-6352-D503-000000008B02}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.214{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.214{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.213{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.213{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.213{30B46F62-485C-6352-0500-000000008B02}412400C:\Windows\system32\csrss.exe{30B46F62-5D95-6352-D503-000000008B02}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.213{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D95-6352-D503-000000008B02}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.212{30B46F62-5D95-6352-D503-000000008B02}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.780{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E693424E2A177BCA8BB9B5826E23A4F6,SHA256=DF861171F689700E23B8639B7274642B0DEBBF68629FD6527FA9E2CE48A30A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.713{30B46F62-5D96-6352-D603-000000008B02}66285412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000202682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:34.206{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBD97E995D3A182CBF585CDA025858F,SHA256=224476D6D6C7A72CFFA1AC4972907A6D4107A4A877E68CA2EA5CF05EA60C8BFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.515{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D96-6352-D603-000000008B02}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.513{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.513{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.513{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.513{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.512{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D96-6352-D603-000000008B02}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.512{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D96-6352-D603-000000008B02}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:34.512{30B46F62-5D96-6352-D603-000000008B02}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000295647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:33.539{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51843-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.765{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1B07F31D61484E3EDABBD1DF5B27EE,SHA256=8A8591464849E02F64923CB94D3789BA67E0035C318AFA18CA86CC70D6B83553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:35.286{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FD5BDFC1BFDC860E9D21C69763D818,SHA256=50E84D3AB1C386FD6B95B688AB84177A112E01A1542B8D1F7B206625242B1860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.614{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA0325FBAFFB6D0835EF3F82C42012F8,SHA256=FB123DDAC6C034830662481864D927FBFE63B921A1A16C36041CED959005C560,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.380{30B46F62-5D97-6352-D703-000000008B02}80406296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D97-6352-D703-000000008B02}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-485C-6352-0500-000000008B02}412428C:\Windows\system32\csrss.exe{30B46F62-5D97-6352-D703-000000008B02}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D97-6352-D703-000000008B02}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.196{30B46F62-5D97-6352-D703-000000008B02}8040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000202683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:32.416{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.880{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B0B57F5745E21AB5F69648CDAD2429,SHA256=945D7F059AD93ADAB39A879415B0623CFA38C5893BD3CDC1F05CDBB38526C857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:36.363{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07180BB437425720EE00CA308A423E4F,SHA256=F641D3F28D17BBC44D2A6AA5B8C408273A9FD6DF64DAB6E7FA30551FCEECAF0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.145{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.145{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.145{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.145{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.144{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.144{30B46F62-486C-6352-2D00-000000008B02}27203376C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000139003D0) 10341000x8000000000000000295655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.025{30B46F62-486E-6352-3800-000000008B02}32323252C:\Windows\system32\conhost.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.021{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.020{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.020{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.020{30B46F62-485E-6352-0C00-000000008B02}832860C:\Windows\system32\svchost.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.020{30B46F62-485C-6352-0500-000000008B02}412528C:\Windows\system32\csrss.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000295649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:36.019{30B46F62-486C-6352-2E00-000000008B02}27363412C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000295648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:35.866{30B46F62-5D97-6352-D803-000000008B02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{30B46F62-485C-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:37.941{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D0A1388709D9FB5A3DFA9262AB0C1C,SHA256=257C553F383882D77ECA0878AB31CEAED672F5A29B587F7466936CB98B02EF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:37.442{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D1D9E20AED1532E82B88D7A636A4C7,SHA256=69777E90E6CDD91B9D3E31F27B0C1460883798671509AD5D5BEFE3E5D754D1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:38.980{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1293647A9C748E18C3A8E1580A935ED0,SHA256=E9808CCCC85CC17936009C9C295E6E79100BDD8A8DE1EB5A4977E72E5BA0118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:38.522{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2CDF4C4D3C84D3A52603B941CA8540,SHA256=9D2FB0BE3D5830118DA9B0778315F24A01847C6796CDFAECDC7766CA20E91980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:39.592{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12EB6DC1532D898A72D2FDFFD186EB2,SHA256=72E5EB4BB4F2A16AEAEA39D734807FD3D9A6C40DEF19A2958D82077CDB4ADBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:40.679{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61E6E15B0889361375B32D5907EB43E,SHA256=A0C0F26CACB70389276ED9A65262433198E0BDE99B5FA42B0C1C223DD75E81CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:40.082{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51058D5F16084C552339DE42499B747C,SHA256=04E86269A559736D01D6FD49DF66762ED8E6A5CCAF921C0EBB6FA7CFF1C1C084,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:38.333{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:41.871{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BA02BD9134B5AB10536AF04026C7E5,SHA256=2E7823EBAD834FD17DB9A463B63D6115B7C17E5F6E30AFF1CF1476070B54F9A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:39.455{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51844-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:41.206{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF5B9EBBF8B36092BA25F10ED2F208B,SHA256=3A4E7C2E06BC940FB5EE96D005B572D4122274AFD0E08A4DADCF8CC870BC19E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:42.954{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1E475178334CB3CEB4D824BB71FB1E,SHA256=04962B0478C586B250DECE6CCD06FA4F4337CB6514C2717A44856A0F71C07533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:42.321{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B5EBC6A053AFE0DD8F7397BA2075DF,SHA256=E00F48970A0352ADFCEAE68B5F5857F23C228EC8908961ED835CFEAF6AEE8267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:42.041{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=D8BA7A6F3449D727F6EB062D7BAB887A,SHA256=EE56E3938E97EDD7F258662BE47CDFCA9CCE1F7CAC926C92035257652530A407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.995{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2C00-000000008B02}2692C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.991{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2B00-000000008B02}2608C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.989{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2A00-000000008B02}2588C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.982{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.981{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2700-000000008B02}2564C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.967{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2600-000000008B02}2556C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.960{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2500-000000008B02}2480C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.957{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4868-6352-2300-000000008B02}2336C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.956{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1D00-000000008B02}2084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.954{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1700-000000008B02}1448C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.947{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485F-6352-1600-000000008B02}1316C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.943{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1500-000000008B02}1084C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.928{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.918{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1300-000000008B02}848C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.904{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1200-000000008B02}372C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.896{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1100-000000008B02}688C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.872{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.860{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0F00-000000008B02}108C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.853{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0E00-000000008B02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.841{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.833{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485E-6352-0C00-000000008B02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.798{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.796{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-485C-6352-0900-000000008B02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000295670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:43.441{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A0CB7869556E5679FD352017D4CF3B,SHA256=A7FE562B7BF3B214605369DFA41C359E551F14B7C35B7B2165AE338F05688F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:44.497{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD19CCE9C38085A672A2DF8FC96EC739,SHA256=B392F276F1083F25AF3EDC3860860FE40B8C3146512635D3BD23B6CBC0A0AF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:44.020{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40ADF44B417A6C03B24EDDA659AFCF6,SHA256=CA79365984E2ED7495A7C05EB080BBD751ED51A4285D248E6705B8A29172705B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:44.388{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2F00-000000008B02}2744C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:44.385{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-2E00-000000008B02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000295697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:45.515{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009358B144BA23A06EE060C476C2E8AE,SHA256=7F072B51ED210953261CCCD5492535A25FFBB5D281DC6F57819E9CA58E2C1622,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.650{EFF5EEA8-5DA1-6352-0C03-000000008C02}34763536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000202708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:43.423{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000202707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA1-6352-0C03-000000008C02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5DA1-6352-0C03-000000008C02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA1-6352-0C03-000000008C02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.478{EFF5EEA8-5DA1-6352-0C03-000000008C02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:45.120{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D936B51E143D10B6CDEAFAF8004156,SHA256=F0992F1BBFB60B95B4348659D1F12E757A27ED4AC785A3D8BE72EBDECA1F0F28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.998{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9A00-000000008B02}4804C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.987{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CF-6352-9200-000000008B02}4312C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.980{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CE-6352-8F00-000000008B02}4232C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.975{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8C00-000000008B02}2600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.974{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48CD-6352-8A00-000000008B02}520C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.972{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-487F-6352-7B00-000000008B02}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.970{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.969{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486F-6352-4500-000000008B02}3620C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.967{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-4100-000000008B02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.967{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486E-6352-3800-000000008B02}3232C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 354300x8000000000000000295702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:44.636{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51845-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.542{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF1C808FBA994D0815A29636E9E8F2B,SHA256=515CF56E1E50CB28274D36C4264D0E7DF2A0E314CB8626FCB6BE516028A91DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA2-6352-0E03-000000008C02}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-485E-6352-0500-000000008C02}408968C:\Windows\system32\csrss.exe{EFF5EEA8-5DA2-6352-0E03-000000008C02}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.808{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA2-6352-0E03-000000008C02}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.809{EFF5EEA8-5DA2-6352-0E03-000000008C02}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.605{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25A2B77B3E2AC9BDB837786ACF145AE,SHA256=A238E2BFD3DB07FB095768D2D659E8A762DA9EF6CF6F05BFBBAC8AFF3E7E232F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.605{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=150E919512C16A41D325A5C3B5E544DB,SHA256=962A23A6BCE7C59FA8D24AB50BBA680224E78533A2B9572AA984C58697D3FF8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.605{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B1FEE6F28E6F6C9241241F56B6FD9945,SHA256=338D689A8A55DC509BB4463A5AB8FEBE886E4F53E7DEA0788480178548E86EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.332{EFF5EEA8-5DA2-6352-0D03-000000008C02}31444036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.279{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.278{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.278{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.278{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.278{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.277{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000295700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.445{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3300-000000008B02}2320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.444{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486D-6352-3100-000000008B02}3008C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:46.442{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-486C-6352-3000-000000008B02}2784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000202722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:46.150{EFF5EEA8-5DA2-6352-0D03-000000008C02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000295742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.713{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5DA3-6352-1003-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA3-6352-1003-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.996{EFF5EEA8-5DA3-6352-1003-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000202760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.620{EFF5EEA8-5DA3-6352-0F03-000000008C02}38202468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA3-6352-0F03-000000008C02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5DA3-6352-0F03-000000008C02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.479{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA3-6352-0F03-000000008C02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.480{EFF5EEA8-5DA3-6352-0F03-000000008C02}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.307{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0C61A6576B7793893EF95C2B65C965,SHA256=40AEF3A52B225AE659304002D0C9E86DA393F9B89A78A17E88D1F9AC498ACDE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000295741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.162{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CE03-000000008B02}2292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.162{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D60-6352-CD03-000000008B02}7532C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.159{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C203-000000008B02}4672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.156{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D2B-6352-C103-000000008B02}1004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.153{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D25-6352-C003-000000008B02}4884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.152{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D15-6352-B803-000000008B02}6792C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.150{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5D04-6352-B603-000000008B02}8144C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.147{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CEE-6352-B403-000000008B02}6008C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.142{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CD3-6352-AC03-000000008B02}6152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.139{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-AA03-000000008B02}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.138{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5CB9-6352-A903-000000008B02}7260C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.137{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3C03-000000008B02}7736C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.137{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-593A-6352-3B03-000000008B02}652C:\Temp\agent_tesla-deob-zip\hiew32demo.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.135{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-573A-6352-F702-000000008B02}8096C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.113{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5701-6352-EE02-000000008B02}7600C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.109{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-56D8-6352-EB02-000000008B02}5224C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.105{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-53DC-6352-8702-000000008B02}6840C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.105{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-5008-6352-F201-000000008B02}376C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.103{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4F33-6352-CA01-000000008B02}6212C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.100{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0B-6352-7301-000000008B02}4364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.097{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7201-000000008B02}5172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.095{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7101-000000008B02}5764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.088{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D0A-6352-7001-000000008B02}4340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.069{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4D08-6352-6F01-000000008B02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.061{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-4AFB-6352-2901-000000008B02}4928C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.060{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-49FC-6352-E200-000000008B02}1264C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.057{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48E7-6352-A900-000000008B02}5800C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.037{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9D00-000000008B02}2812C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 10341000x8000000000000000295713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.024{30B46F62-486C-6352-2D00-000000008B02}27203372C:\Program Files\Aurora-Agent\aurora-agent.exe{30B46F62-48D1-6352-9C00-000000008B02}2792C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013980190) 23542300x8000000000000000295745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:48.917{30B46F62-4D08-6352-6F01-000000008B02}2076ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\86ltvkez.default-release\datareporting\glean\db\data.safe.binMD5=562679ED58070CE8A881C1D392A69F54,SHA256=44724470B371A5E4A314962B72E5039A5C0F62CF75F2F928FB0A1B4EC22953A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:48.799{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739B744C406F69720AB348CBBEB3E879,SHA256=BD7EBF0042E622C3C458E91878A3CC4ED79AD788576B91E71583A179A0B44937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.772{EFF5EEA8-5DA4-6352-1103-000000008C02}34201472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA4-6352-1103-000000008C02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-485E-6352-0500-000000008C02}408424C:\Windows\system32\csrss.exe{EFF5EEA8-5DA4-6352-1103-000000008C02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA4-6352-1103-000000008C02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.603{EFF5EEA8-5DA4-6352-1103-000000008C02}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000202774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:48.600{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B27CE9436F7B26FBFF03A0D4D1489CB,SHA256=05CCC8E24E66E30313EEBCC693112474BB73FA766DD08718C167E22C44F6C7D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:48.066{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9302C0BF22684F1DE32B14AD7C1F893,SHA256=4FD547A5A07F46E86E88C50E0D0821AD72674B4571AEC31445E8E6B0C43D1BBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA3-6352-1003-000000008C02}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:47.995{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000295748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:49.922{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CAC8C71F4CF4657FA060B48CBBC3F1,SHA256=6FC98F182D0EE36C801140F11D065453DAF0A540318CEFB329DDE5FB02B3D23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.810{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86B8BA8CBB53056B92EFC4D6E0DFF97,SHA256=19223FEC7B1CA5D30938915F90E3CE0F132AD3BD7BC81B37E8CA6B164C3FB999,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.090{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51846-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 354300x8000000000000000295746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:47.090{30B46F62-485A-6352-0100-000000008B02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51846-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local445microsoft-ds 23542300x8000000000000000202808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.378{EFF5EEA8-4860-6352-1E00-000000008C02}2040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE1E0A9AF945DBCA1256A60064CD4F8E,SHA256=41DBA77E4FE9130B3A30F6E45B8356A36058C1B1EA7A259703296FA229ADFF5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.364{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.364{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.364{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.364{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.363{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.363{EFF5EEA8-4860-6352-1F00-000000008C02}12002836C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838CD0) 10341000x8000000000000000202801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-4861-6352-2B00-000000008C02}29042924C:\Windows\system32\conhost.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0C00-000000008C02}7243036C:\Windows\system32\svchost.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-485E-6352-0500-000000008C02}408524C:\Windows\system32\csrss.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000202790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.234{EFF5EEA8-4860-6352-1E00-000000008C02}20403780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000202789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.235{EFF5EEA8-5DA5-6352-1203-000000008C02}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{EFF5EEA8-485E-6352-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000295749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.972{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E79980493BDCB22F06001F1AB3C0B63,SHA256=8A1417985472DB6BBA53F99F182C8AFEF0D3EBB19277F5FFC221D16C4703A3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:50.886{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17023347883490DC902E7BCBD4BEBD2A,SHA256=3481CA36FC2B5E214F7398A87B2CD0AFFF3144DAADC2F5C0D9A8F8CBEF1ABDA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.963{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5BBD017ACF98579E277BFD2C39DCAC,SHA256=17B68AE405B4B51E50A23254A36C26153328317E48411BBF1EFFF75B46E1DFF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000202839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.909{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-585A-6352-7102-000000008C02}2068C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.906{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-48DA-6352-7C00-000000008C02}3972C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.903{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4873-6352-7400-000000008C02}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.901{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.900{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3D00-000000008C02}1988C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.898{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4862-6352-3C00-000000008C02}2008C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.897{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2B00-000000008C02}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.896{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2600-000000008C02}2600C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.894{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4861-6352-2500-000000008C02}2368C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.891{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2200-000000008C02}2052C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.887{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-2000-000000008C02}92C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000295753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:51.625{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485A-6352-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000295752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:51.623{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1400-000000008B02}1044C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:51.533{30B46F62-485C-6352-0B00-000000008B02}628752C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:51.521{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000202828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.879{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1E00-000000008C02}2040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.876{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1C00-000000008C02}1980C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.875{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1B00-000000008C02}1928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.866{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-4860-6352-1900-000000008C02}1776C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.863{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1700-000000008C02}1252C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.851{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1600-000000008C02}1212C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.844{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1500-000000008C02}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.837{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1400-000000008C02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.828{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1300-000000008C02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.820{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1200-000000008C02}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.812{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1100-000000008C02}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.788{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-1000-000000008C02}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.783{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0F00-000000008C02}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.776{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0E00-000000008C02}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.770{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485F-6352-0D00-000000008C02}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.764{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0C00-000000008C02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.759{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0B00-000000008C02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 10341000x8000000000000000202811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:51.757{EFF5EEA8-4860-6352-1F00-000000008C02}12003152C:\Program Files\Aurora-Agent\aurora-agent.exe{EFF5EEA8-485E-6352-0900-000000008C02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000159B2190) 23542300x8000000000000000295755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:52.557{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B19DA839043B7100617D162CB978ACA,SHA256=0F6178E1CACC8A2535C5A609789809E5A6C30A6B12C6596BFAEF6913CFD68FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:52.090{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8D11383E9537F373D2CA125A2DED88,SHA256=26665D9AB38177114E14F13F8A82B56E47DC445AAFAAAFBA52D6D8726C674AC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:49.369{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50753-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:53.037{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98792F6E285BDF213052CE9A03E79D7C,SHA256=D421937DF72BD65103874259B1DBC66457B3E9B79F9C4ACEFF45A0826DA9DDAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000295765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.909{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51851-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.909{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51851-false10.0.1.14win-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.898{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51850-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.898{30B46F62-485E-6352-1000-000000008B02}308C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51850-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local389ldap 354300x8000000000000000295761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.897{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51849-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000295760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.897{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51849-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local49666- 354300x8000000000000000295759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.896{30B46F62-485E-6352-0D00-000000008B02}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51848-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000295758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.896{30B46F62-485C-6352-0B00-000000008B02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local51848-truefe80:0:0:0:94c:2225:56b2:7f4fwin-dc-ctus-attack-range-188.attackrange.local135epmap 354300x8000000000000000295757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:50.578{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000295756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:53.204{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B274D8457FBFC4FF88889AF52C8420F5,SHA256=B1EA6B10C708DCB64F1287A5D592447E242055F11B3F2DC64245F3B74B0235B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:54.125{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263C89269F9CB87FE6C9161C641C91AE,SHA256=0F42D26DD5D10325AC9DDBE6ACAA502D6FEAD95021ACE379787CA432E794DB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:54.305{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60ED622A3C738D8E749389B206AA6C9,SHA256=100CEF357E80BAC3C37D186E6FEFC7E374383C45F89530B591867D4A1405B490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:55.201{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9E8EA9B56D2EE1785A858D20FF40DF,SHA256=9BB038CD357F419E1CECC41D478C0093693343EBF88A8348DE3176C7880E68E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:55.324{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B4622316467A15D948E3152FA4C46A,SHA256=81B731086074807B8439F3BAE5865599BB3B4EE7133A88F2E0B070BF648A5AE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000202846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:54.502{EFF5EEA8-486C-6352-6200-000000008C02}3912C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-144.us-east-2.compute.internal50754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000202845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:56.290{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA67177904F315EF89BB1561F6209E7,SHA256=12919D02DADEA93C47E8AE960E95D84062AC25AAB664FA742BDC61794ACF8535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:56.425{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F6DFAB688792515BEC321751EAAEAB,SHA256=D3E6D2CE7F25E036AF5724C62E9688E431E67631A2A6D5C934DAA8313BCCC0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:57.383{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29944692FC49423B4518668796C635D0,SHA256=E849EE662D87A2194A311C45CAD43DC5877EB57583D713287F63AD0E119C5546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:57.553{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9092DB4EC3DABD358FD7DFF89A1CB5,SHA256=823660BDE50083E198B6649FE822E21A5C19AD01927A6C62B15343C3BB55EAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:58.453{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26F37F966260F04FEA398114638204E,SHA256=29B4D396182615C8C7E8FFA78FE6252C1236DAD02B05D1E093DBD56E5D193B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:58.707{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795F8D30767BF9E9F0BE50C4790D322A,SHA256=CD14B7CFC77BA64729F28A2B018A44E740059A2D67512330BA019C44B6A6D402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000202849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-144-2022-10-21 08:51:59.527{EFF5EEA8-4873-6352-7400-000000008C02}2880NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F63AAF3B1002AB6DC17A44C6AC52E5,SHA256=E7AF6324BE48CC642644966015A4874B8CBA549CC71CCB1F8BDE31BA63A11457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000295777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:59.727{30B46F62-487F-6352-7B00-000000008B02}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF520C3D872FE3465D4A490591EA5C3,SHA256=66C1D5AE41A272D6EFAF1787C06C71C9D3D00C6B7C8DBFD28703C88128CF20EA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000295776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:59.510{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000295775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:59.498{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Config SourceDWORD (0x00000001) 13241300x8000000000000000295774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-SetValue2022-10-21 08:51:59.498{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\B51772D5-9883-4A2C-91E7-2B1355A0ACC3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_B51772D5-9883-4A2C-91E7-2B1355A0ACC3.XML 10341000x8000000000000000295773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:59.476{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:59.476{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000295771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:51:56.551{30B46F62-4878-6352-7100-000000008B02}3928C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-188.attackrange.local51852-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000295780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:52:00.353{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:52:00.353{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000295778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-188.attackrange.local-2022-10-21 08:52:00.353{30B46F62-485C-6352-0B00-000000008B02}628828C:\Windows\system32\lsass.exe{30B46F62-486C-6352-2800-000000008B02}2572C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791